FYI.

This story is over 5 years old.

Tech

Wetherspoons Hacker Speaks: 'I Did It Simply Because I Could'

The hacker wouldn't specify what vulnerability led to the breach, but was “surprised that no one else has done the same up to this point.”
Image: Shutterstock

Last week, Wetherspoons, a popular UK pub chain, announced that one of its websites had been breached. The hacker got away with the names, dates of birth, email addresses, and phone numbers of potentially 656,723 customers, as well as the partial payment card data of 100 people.

Then late on Monday night, the hacker responsible, who used the handle 'ropertus' contacted this reporter. To verify their identity, ropertus sent an email signed with the same PGP key listed with the advert for the stolen Wetherspoons data on a Russian hacking market. (This is the same method used to verify the communications between this reporter and The Impact Team, the hackers who breached extra-marital site Ashley Madison earlier this year).

Advertisement

Ropertus said that breaching the Wetherspoons site "wasn't complicated whatsoever and would certainly add insult to injury to the company itself."

The hacker wouldn't specify what vulnerability led to the breach, but did add "I'm surprised that no one else has done the same up to this point."

"The vulnerability took no more than 15 minutes to find through manual searching and analysis," ropertus said.

In an email sent to the potential hack victims, Wetherspoons was keen to point out that the attack only affected an old company website. Bearing in mind the speed at which ropertus allegedly discovered the vulnerability, the sort of data obtained, and the hacker's comment about being surprised no one had exploited it before, there's a chance that ropertus used SQL injection.

SQL injection is an ancient website attack vector, and was first publicly discussed around 1998. But it still leads to some of the biggest breaches around, including the theft of personal data from UK ISP TalkTalk earlier this year.

Ropertus has been advertising the Wetherspoons data on w0rm, a forum and online marketplace owned by an eponymous Russian hacker, since at least September 27. Ropertus also has hundreds of thousands of email addresses, usernames, and hashed and plain text passwords for sale, coming from sites such as as lorealparis.com.cn, sferos.one.lt, totallywicked-eliquid.com, gameevil.com, lgbt.lt, and funimation.com, according to product listings on w0rm.

Advertisement

The hacker has put no fixed price on the stolen Wetherspoons data; instead, individuals message ropertus and make their own offer.

"I have had quite a few potential buyers interested in the data as of late due to the attention it's received," Ropertus said.

But victims, despite likely being worried their personal contact information is being sold on a criminal marketplace, may be surprised that, all in all, it's really not that valuable.

"I would price it $750-$1000" for the whole lot, ropertus said. "Not a premium price due to the mild contents within the database, and lack of financial information contained in it."

"That being said, many of the customers who expressed interest in purchasing it were happy to pay within this price range and I would comfortably make thousands of dollars as a result."

Naturally, the more ropertus would sell the data, "the cheaper it would get as databases are often traded and eventually it would become public."

But ropertus has apparently decided not to sell the Wetherspoons data at all. "I've made the decision not to sell it for a number of reasons, one of which is to further protect my identity." It's impossible to confirm whether ropertus hasn't previously sold the data anyway.

Instead, ropertus claims that "I did it simply because I could, and to serve as knowledge being put into practice."