New Zealand Pizza Store Chain Loses Customer Info

Unauthorized hackers have stolen customer information from New Zealand-based Hell Pizza, which also operates stores in Australia, England and Ireland. A database containing the sensitive data has been circulating within security circles since last year, without any confirmation of the breach from the company.

According to Risky.biz, which followed up with the story, the database is 400 MB large and lists information on some 230,000 customers. The exposed data does not involve credit card details or other type of financial information, but does contain full names, addresses, phone numbers, emails, hashed passwords and even order history.

Risky.biz cites an undisclosed source, who allegedly investigated the Hell Pizza website after rumors of the data breach hit the ears of local security researchers. They found that SQL queries were hardcoded into a Flash file, which communicated directly with the database backend. All an attacker had to do is listen-in on the traffic, capture these requests then alter them in order to extract data.

Even worse, the MySQL server was accepting remote connections on a port, allowing an attacker to easily login with the stolen credentials and copy of the entire database directly. Furthermore, the hashing function used to protect customer passwords were weak and easily crackable. This suggests that standard password security practices like hash salting was not employed.

The most obvious danger here stems from the fact that a lot of people tend to reuse both usernames and passwords. This mean that attackers could use the stolen information to access other accounts belonging to the affected customers, including ones that contain financial details.

This is not just a theoretical threat. Last week we reported that very similar data stolen by Turkish hackers from an Israeli commercial center and Pizza Hut, was used to compromise the PayPal accounts of at least some of their customers.

It seems that Hell Pizza was contacted by concerned individuals last year shortly after the theft occurred, but it failed to verify the claims. However, the company has just recently contacted the police after it was provided with excerpts from the database.

You can follow the editor on Twitter @lconstantin