Dominos Hacked for 600,000 User Passwords

Hand over the dough, and nobody gets hurt. Food puns aside, the loss of 600,000 user credentials is nothing to joke about. Dominos Pizza has announced the loss of a cache of usernames and passwords which belonged to customers in France and Belgium, claiming that an unknown group of hackers have attempted to extort them for $45,000 to keep the whole problem under wraps.


Photo: Pressmaster / Shutterstock

The ring has said that if the popular pizza chain doesn’t comply with their demands, they will release the encrypted information to the open web, potentially compromising hundreds of thousands of personal details all in the pursuit for cold hard Bitcoin.

Notorious cracker outfit Rex Mundi (@RexMundi_Anon) has taken partial credit for the online attack, writing on a web clipboard that the ingredients of the stolen Dominos data included customer names, phone numbers, email and street addresses, along with passwords and usernames which could be matched against other databases to grant even wider access to a greater number of accounts in the region.

To prove their point, a small sample of the files were released to officials handling the case, showcasing just how wide and deep the rabbit hole goes on this one. It also reveals the inherent weaknesses of the MD5 encryption architecture, which has started to show its age against high powered computers which can be bought for a dime on the dollar that it used to cost to set up server arrays tasked with nothing else but the utter destruction of any password protections that might accidentally get caught in its path.

This isn’t the first public hostage negotiation that Rex Mundi has been a part of either, with the growingly prolific hacker popping up as a part of an extortion plot with Americash Advance earlier this year, as well as the Belgian hosting firm Alfanet.

Both companies refused to pay Mundi his bounty, resulting in the loss of tens of thousands of customer details and around $40,000 in lost cash from the hacker who has yet to be traced to any known country of origin.

While the French authorities are hot on his tail, Dominos has offered their condolences through a PR-approved statement on Twitter, suggesting that any users who logged into the site in either country change their information immediately.

Of course, no company would outright claim they were willing to pay any hackers a bounty to keep their mouths shut and their hard drives quiet.

It’s believed that for every company, which has publicly claimed not to have paid off Mundi, another three have handled the issue in secret, settling the bounties for exorbitant prices in order to keep their names, and the lackadaisical state of their security systems, out of the headlines and swept as far under the rug as they will go before hitting the books of public record.

All told the bulk of the data grab landed on the shoulders of the French, with 592,000 usernames coming from their country, and the remaining 58,000 being sourced out of neighboring Belgium.