#Rex Mundi hacks Pizza domino and gets half a million french and 50.000 belgian profiles

we knew it before and tried to contact the different responsable services in Belgium

they wanted money before today

but Rex Mundi will probably have remembered that you never get anything done on a friday with that kind of possible impact - except if you have a kind of cyberemergency management service that can coordinate those kinds of operations

this is the information that he has

Earlier this week, we hacked our way into the servers of Domino's Pizza France and Belgium, who happen to share the same vulnerable database. And boy, did we find some juicy stuff in there! We downloaded over 592,000 customer records (including passwords) from French customers and over 58,000 records from Belgian ones. That's over six hundred thousand records, which include the customers' full names, addresses, phone numbers, email addresses, passwords and delivery instructions. (Oh, and their favorite pizza topping as well, because why not).

We immediately sent various emails to both Domino's Pizza France and Belgium. We also used the contact forms on their websites to let them know of this vulnerability and to offer them not to release this data in exchange for 30,000 Euros.

So far, Domino's Pizza has not replied to our demands. We would also like to point out that both of their websites are still up and vulnerable.

Domino's Pizza has until Monday at 8PM CET to pay us. If they do not do so, we will post the entirety of the data in our possession on the Internet.

published somewhere online

Sample data from the French website:

First name/Last name/Address/City/Telephone Nr/Email address/Password

Sample data from the Belgian site:

First name/Last name/Address/City/Telephone Nr/Email address/Password



we can confirm that those data are correct but we have decided to retire the data because the people are being harrassed by press and jokers so this promises for monday............

Three important things

* this is the beginning of a perfect profile with which you can collect a lot more information online with which you can do a lot of things because all security questions will be bypassed (and with VOIP even your phonenumber)

   if it is combined with other information than it can even become better

* too many people use the same passwords all over the web (and for real important services passwords are in fact dead because only double authentification can proof that you are the person who says who you are)

* it proofs another time that websites

   * should not ask information they don't need (day of birth for example)

   * shouldn't keep information longer than they need to and should destroy inactive data every x days, weeks or months

   * should ask every x months people to change their passwords and block those who don't after x days or weeks

* if proofs for people that

   * never fill in correct data that they don't need to do business with you (my day of birth is different for every website that asks me)

   * never use the same passwords for important services and use garbage passwords for other services

   * you should never expects that things on the internet are safe, they are more not (the technique he is using is not that complicated and it says more about the insecurity of the sites than about his skills and yes it is quite easy and standard to protect your websites and databases against those attacks and leaks)

and yes Rex Mundi is being traced and tracked and hunted down by police services of all the countries where he did some hacking and everybody is waiting for him to make his first mistake

it will be interesting to know how the privacycommission will re-act, looking at her new guidelines who obligates the operators of websites that have been compromised to inform their victims within 24hours



The comments are closed.