Hell Pizza’s Customer Database Hacked

An online database for a Pizza store chain has been compromised this is According risky.biz, there is no credit card numbers but it contains about 400MB of customer’s information.

Currently Pizza stores are located in New Zealand, England, Australia and Ireland. Customers information are very important for this case as if a hacker managed to get access to these information (full names, addresses, phone numbers, e-mail addresses, passwords and order history ) the emails/phones can be used to extend the spam list and attack while all records and information can be lost.

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a ‘feature’ of the store).

You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) – and the hashes in this version are very weak, cracking them would take less than a couple of hours.

MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as “about 50 steps of fail”.

Another penetration tester says the Hell Pizza database is an excellent example of “non critical” information
that could still be used by attackers for great benefit.

Now the Hell Pizza invited to notify all costumers about the breach so they can take the security measures regarding thier credentials.

make sure you subscribe to my RSS feed!