ShitExpress, a website that offers you to send a box of feces along with a personalized message to friends and enemies, has suffered a data breach after a “customer” spotted a vulnerability.

ShitExpress has a 4-step buying process mentioned on their website consisting of:

• Selection of animal excrement, e.g.: organic, wet horse poo.
• Enter a shipping address
• Personalization of the packaging, e.g.: with a smiley sticker.
• Payment will be made via credit card or Bitcoin.

ShitExpress promises its customers complete anonymity.

There were 60,000 entries in the order database, but only 29,000 of them were paid by the customers. You do not need to register on the website to order, after filling out a form, ShitExpress will send the invoice to the specified e-mail address, you can pay for the order with BitCoin or a bank card using the methods detailed therein.

But this time around, ShitExpress was visited by an interesting customer—pompompurin, the owner of Breached.co hacking forum, and a well-known hacker who has previously stolen private data from companies like QuestionPro and Mangatoon. The hacker also previously put up stolen data of 7 million Robinhood customers for sale online.

According to a forum post written by pompompurin, the hacker recently visited ShitExpress to send a box of poop to cybersecurity researcher Vinny Troia. 

In the process, the hacker discovered that the website had an easily exploitable vulnerability (SQL Injection), which allowed him to access customer messages, e-mail addresses, and other private data related to customer orders. 

Ultimately, instead of reporting the vulnerability responsibly, pompompurin exploited the flaw and download the entire database but did not blackmail the site’s owners with a ransom demand.

Shitexpress has patched the vulnerability and doesn’t think that it is a big deal to steal data.