savag3: I wonder if the third party email marketing system they have used (mailprimer.com) has been compromised. That might explain why emails used at other companies have been spammed as well.

ukoda:

Bee: Interesting...
I got it 3 times last night too... how did it get our email addresses? what have we all signed up for that has sold/leaked our email address???

I received it using the email address I signed up to with Hell Pizza.  The email address was hell@mydomain so it is possible that they just created the email address but I think it more like Hell Pizza, or their site operator either sold it or were compromised.

I have had this kind of problem with the House of Travel too and they, off course, denied any fault and tried to blame me by suggesting I had used the email address somewhere public.  The catch with that theory is it was a unique email address just for them.  One suggestion I had heard was that cross site scripting could be the cause of such email adress leakage.  I'm not sure how likely that is?

When contacted by Risky.Biz, Hell Pizza co-owner Stuart McMullin said he was unaware of the data breach. He offered no comment when a list of questions was e-mailed to him, beyond acknowledging the contact from "concerned customers" in 2009.

"I have spoken to my IT staff and they are not aware that our site was hacked or any records lost," McMullin wrote in an e-mail to Risky.Biz. "There were a couple of 'customers' that thought it was the case last year who emailed us - perhaps these are the sources you are referring to - but not to our knowledge."

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Immediately I spotted the SQL Queries being made by the Flash SWF as part of the query string to the server-side. The Flash client makes queries which are hard-coded in the .swf (this is dumb as it means SQL Injection is effectively a 'feature' of the store).

You could easily alter the query string to show the hashes stored in the MySQL users table. I figured out the version of MySQL was 4.0 (Debian Sarge) - and the hashes in this version are very weak, cracking them would take less than a couple of hours.

MySQL was listening on a remote port, so one could simply log in remotely and run queries or dump the database slowly so as to not be noticed.

Security researcher and Metasploit creator H D Moore described the security arrangements of the online ordering portal, as described above, as "about 50 steps of fail".

"I am posting this on behalf of Hell Pizza. I would like to advise that we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed.

I'm more enclined to believe that this is the result of brute force attacks - unfortunately for us, "hell" is not the most advantageous/desirable word to be using in email correspondence or email addresses."

dontpanic42: Looks like Hell pizza have now taken the matter to the police.

freitasm:

dontpanic42: Looks like Hell pizza have now taken the matter to the police.

After someone raising the possibility here, 18 months ago? Sure they should've known for some time?

bazzer: "I am posting this on behalf of Hell Pizza. I would like to advise that we don't sell email addresses (very bad), nor have we been hacked (our web servers are behind dedicated, monitored firewalls). We use software from interspire and I'm not aware of any security vunerabilities in the latest version we have installed.

I'm more enclined to believe that this is the result of brute force attacks - unfortunately for us, "hell" is not the most advantageous/desirable word to be using in email correspondence or email addresses."

Yeah, right.