Hackers who stole details of around 600,000 Domino's Pizza customers in France and Belgium have demanded €30,000 or else they will publish the information — including customers' favourite toppings.
The group of hackers, which uses the Twitter account @RexMundi_Anon, posted details of the breach online late last week.
"Earlier this week, we hacked our way into the servers of Domino's Pizza France and Belgium, who happen to share the same vulnerable database. And boy, did we find some juicy stuff in there!" the account tweeted.
The hackers claimed to have obtained more than 592,000 customer records (including passwords) from Domino's France and more than 58,000 records from the Belgian arm.
The records include the "customers' full names, addresses, phone numbers, email addresses, passwords and delivery instructions. (Oh, and their favourite pizza topping as well, because why not)," according to the Twitter account.
The hackers originally demanded payment of €30,000 by 8pm CET on Monday, but on Tuesday at around 5am CET they extended the deadline.
"If @dominos_pizzafr doesn't pay us tomorrow and we publish your data, u have the right to sue them. Speak to yr lawyer!"
The Twitter account has now been suspended. The 13 June post detailing the hack on Dpaste.com has also been removed.
Domino's Pizza France has confirmed the breach and advised customers this week to change their passwords, despite the passwords having been encrypted.
In a series of updates on Twitter on June 13, it said: "Domino's Pizza uses a commercial data encryption system. Nonetheless, the hackers we have fallen victim to are seasoned professionals and it is likely that they could break the encryption system used for passwords. As a result, we recommend that you change your password as a security precaution. We deeply regret this situation and take this unlawful access very seriously."
André ten Wolde, CEO of Domino's Pizza France, told Belgian newspaper De Standaard that it would not pay the ransom demanded and has filed a complaint with a court in Paris.
It's not the first time Rex Mundi has demanded a fee to prevent it leaking a customer database. In 2012, it hit up AmericCash for between $15,000 to $20,000.
The company did not pay and the group made good on its threat to publish the customer data.