Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Image

Pizza Lovers Suffer Data Breach From Hell 164

Posted by samzenpus from the hell-of-a-breach dept.
netbuzz writes "Some 230,000 New Zealanders have been informed that their personal information has apparently fallen into the hands of hackers who compromised the network of a locally famous food chain, Hell Pizza. The company says it suspects 'a rogue employee,' but one security expert says Hell's ordering portal is 'about 50 steps of fail.' Several New Zealand celebrities are among the victims and at least one is taking the matter in stride, musing: 'My Twitter has been hacked, my Facebook has been hacked and I'm pretty sure half of New Zealand has my phone number already. I have nothing bad to say about Hell.'"
This discussion has been archived. No new comments can be posted.

Pizza Lovers Suffer Data Breach From Hell More

Pizza Lovers Suffer Data Breach From Hell

Comments Filter:

  • SQL Injection (Score:4, Informative)

    by Anonymous Coward on Thursday July 29, 2010 @01:24AM (#33065380)

    This isn't news.

    Their server would execute any SQL query sent to it. The SQL queries were hard coded into the Flash objects they used.

  • Risky.Biz Explaination (Score:5, Informative)

    by SJ2000 ( 1128057 ) on Thursday July 29, 2010 @01:34AM (#33065460) Homepage
    Risky.Biz

    Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store). You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours. MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

  • Old news, except for Hell (Score:5, Informative)

    by tbird81 ( 946205 ) on Thursday July 29, 2010 @01:54AM (#33065544)

    The original breech was at least one year ago, but Hell chose to ignore it. Whoever made their website allowed SQL code to be run from the url.

    Here's a blog [geekzone.co.nz] by the owner of the geekzone forum [geekzone.co.nz] that initially discovered the problem (because someone received spam from a disposable email address they used with the company.

  • Re:It's a concern... (Score:3, Informative)

    by MichaelSmith ( 789609 ) on Thursday July 29, 2010 @02:08AM (#33065604) Homepage Journal

    Its actually a really nice place. Without a doubt the best place I have been outside Australia. Their government is small scale, but it seems to work better that way.

  • at least they were upfront about it (Score:5, Informative)

    by Anonymous Coward on Thursday July 29, 2010 @02:12AM (#33065614)

    I received an email from Hell just under a week ago:

    "Dear Valued Hell Customer,

    We have been approached by a party claiming to be in possession of
    customer details from the previous Hell website which is no longer in
    operation. The samples that we received included details of four customers
    from 2006, including phone numbers and email addresses and order
    information. We can confirm that credit card data was not at risk as this
    is held independently on a secure banking website.

    Whilst we are still investigating the matter, we can confirm that the
    information was obtained without our knowledge and we have approached the
    New Zealand Police with a view to lodging a formal complaint."

    They were upfront and open to their clients about the data breach, in a world where most corporates prefer the 'duck and hide' tactic. I appreciated their honesty, and will continue to shop there.

  • Re:The Good Old Pizza Times (Score:2, Informative)

    by SpzToid ( 869795 ) on Thursday July 29, 2010 @02:32AM (#33065668)

    replying due to unintentional mod.

  • Re:SQL Injection (Score:4, Informative)

    by SplashMyBandit ( 1543257 ) on Thursday July 29, 2010 @05:13AM (#33066346)
    Mate, you should try a Hell pizza. They are completely awesome. The website used to have pictures of the pizzas and they not like Italian/American pizzas at all as they have a large number of ingredients on top (not just cheese, pizza sauce and peperoni). My favourite is the "Mordor" and if you ever get to NZ you ought to try it. The other excellent pizza is the 'Unearthly' dessert pizza - sooo good.

  • Re:What I don't understand... (Score:1, Informative)

    by Anonymous Coward on Thursday July 29, 2010 @06:00AM (#33066562)

    Email address: to reset your password if you forget it (you'd want an account so you don't have to type in your address and payment info each time).

    Surely, if that's all they are storing the email address for, they should store a hash of the address instead. Passwords can be recovered by entering the username and email, the email is checked against the hash and then used to send out the password change details.

    Less plaintext data in the database means less data escapes during a breach. Yes it would still be possible for addresses to be tested against the exposed hash column in the hope of a few matches, but at least it's not a phishers to-do list.

  • Re:It's a concern... (Score:1, Informative)

    by Anonymous Coward on Thursday July 29, 2010 @08:49AM (#33067640)

    Yes, you also clearly have no sense of humor.

  • Re:What I don't understand... (Score:4, Informative)

    by Lumpy ( 12016 ) on Thursday July 29, 2010 @11:38AM (#33069820) Homepage

    http://www.bluemaumau.org/police_and_collection_agencies_love_dominos_database_pizza_lovers [bluemaumau.org]

    They store it and happily sell it.

    P.S. dominoes pizza is nasty. Try a real pizza place like a smaller mom and pop that wants to make quality instead of the cheapest high profit one they can.

Slashdot Top Deals

If you have a procedure with 10 parameters, you probably missed some.

Close