Feces and the internet have one thing in common, and that at least one person has made them business partners.

'Shitexpress' as what it's called, allow anyone to send feces to anyone in the world. Any feces sent shall be delivered inside a sealed box, nicely packed with a personalized, handwritten message. Nobody shall ever discover who sent it because the service promises 100% anonymity.

But not everything is anonymous, apparently.

The site asks for the senders' email, and also the targets' name and address. In other words, personal data is involved.

And unfortunately for the website, a Hacker managed to breached its system, and steal the data.

Shit happens.

Shitexpress, a web service that lets people send a box of feces along with a personalized message to friends and enemies, and that it has been breached after a "customer" spotted a vulnerability.

The thing is, the vulnerability was found following a unique twist: it happened during a feud between a hacker and a cybersecurity researcher.

It happened when Shitexpress website had a visit from Pompompurin, the owner of Breached.co hacking forum. The person who is also a well-known hacker has a track record of stealing sensitive data from various companies, and has been selling some of the stolen data for money.

According to a forum post authored by pompompurin, the hacker visited Shitexpress to send a box of faces to cybersecurity researcher Vinny Troia.

It's said that members for RaidForums including pompompurin are at a long-standing feud with Troia. After all, they're line of work cannot be anymore contrasting. But in this particular feud, it started when the researcher made interactions with the hacker community.

In response to the researcher, pompompurin managed to send false alert to be picked up by the FBI, about a November 2021 cyberattacks, conducted by "threat actor" Vinny Troia.

In retaliation, Troia even launched an online petition to ask international leaders to extradite pompompurin to the U.S.

And this time, pompompurin visited Shitexpress to send a token of appreciation to Troia.

But instead, the hacker realized that the website was vulnerable to SQL Injection.

The hacker was able to access customer messages, email addresses, and other private data associated with customer orders.

"Send a piece of shit in a box to someone," the website says.

"Imagine all the people who annoy you the most. An irritating colleague. School teacher. Your ex-wife. Filthy boss. Jealous neighbour. That successful former classmate. Or all those pesky haters."

The hacker pompompurin swiftly downloaded whatever they can. And just like what hackers would normally do, they would share it to the internet, through a hacking forum.

To show the legitimacy of the data, pompompurin also shared a small sample data set containing a preview of multiple database tables hosted by Shitexpress.

Among others, the messages exposing some angry messages, and some hysterical, personal messages sent by the customers with the gifts.

"It's honestly not that big... There's about 29,000 orders in the data," pompompurin told BleepingComputer.

Another twist in this case, pompompurin did not extort the site owners with a ransom demand, and even notified the website owner. This is kind of unusual for a notorious hacker.

"I gained access a day before I leaked it, and I notified the website owner after dumping the data. [I'm] not sure if they've acknowledged or anything as of yet," said the hacker.

In response, a spokesperson for Shitexpress said that its system has indeed been breached.

"We have spotted some unusual activity on our server 4 days ago and found out that one of our script is vulnerable to SQL injection. It's purely our fault -- a human error that could happen to anyone. It was found by one of our customers. We fixed the error immediately," the person said.

"Please understand that this is a simple prank site. There is no ransom demand. Nothing really happened."

To ensure that the breached data doesn't contain anything too serious, the person explained that Shitexpress is a prank website, meaning that the data people sent it to prank their friends, are mostly junk data.

"If a website visitor uses the form on our site, all the details are stored in our database. It's mostly junk because people are pranking their friends -- they enter their data + email address and leave. After that, we send them email to pay for their order and the pranked person is freaking out, trying to find out who did that."

Shitexpress further said that it will never reveal customers' real identity, because "we don't have any personal information of the people who filled the form on our website."

But still, things are more than just that, and shouldn't be taken too lightly.

This is because the addresses in the leaked database also include invoices, gift cards, promotions and PayPal records. The breach also exposed the IP and email addresses of senders, physical addresses of recipients and messages accompanying the delivery.

Of the accounts listed, approximately 1 account belonging to University of Maryland, Baltimore County (UMBC) was found.