Hell Pizza security breach: I’ll have extra passwords with that

Hell Pizza logo and egg
Hell Pizza, a popular chain of pizza restaurants in New Zealand with other branches around the world, has found itself in the embarrassing situation of having to admit that a hacker appears to have stolen a large portion of their customer database.

According to Risky.Biz, more than one hacker has accessed Hell Pizza’s poorly secured 400MB database, which has 230,000 entries containing full names and addresses, phone numbers, email addresses and passwords. Oh, and they also know what kind of pizza you prefer.

Hell Pizza has posted a letter to customers on its Facebook page about the incident.

Some customers have noted with curiousity that Hell Pizza has posted the communication as a graphical image rather than plain text which would have helped the news be found by search engines and indexed across the internet. It certainly seems an odd choice, so allow me to gallop to the rescue for those who want it in plain text:

Sign up to our free newsletter.
Security news, advice, and tips.

Dear Valued Hell Customer,

We have been approached by a party claiming to be in possession of customer details from the previous Hell website which is no longer in operation. The samples that we received included details of four customers from 2006, including phone numbers and email addresses and order information. We can confirm that credit card data was not at risk as this is held independently on a secure banking website.

Whilst we are still investigating the matter, we can confirm that the information was obtained without our knowledge and we have approached the New Zealand Police with a view to lodging a formal complaint. Hell recognises the importance of protecting customer information and additional security measures were implemented earlier this year when our new website was rolled out (again, we reiterate that this is not an issue affecting the new website). As a further security measure you may wish to consider changing your passwords on other sites if they were the same as the old Hell Pizza website.

We apologise for the incident and any inconvenience that this may have caused.


Stu McMullin - Director Hell Pizza

We acknowledge that some of you have asked to be removed from the database and we have included you for the purposes of this notification.

As I’ve explained before, you should never use the same username and password on multiple websites. It’s like having a skeleton key which opens every door – if the bad guys scoop up your password in one place they can try it in many other places. If it gets hacked (like in the Hell Pizza example) then cybercriminals could use it to access your other online accounts – webmail, PayPal, Amazon, and so on..

Here’s a video which explains how to choose a strong password, which is easy to remember but still hard to crack:


Don’t delay, be sensible and make your passwords more secure today.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.