Security News > 2020 > June > Have I Been Pwned breach report email pwned entire firm's helldesk ticket system
A hapless IT bod found the Have I Been Pwned service answering its own question in a way he really didn't want - after a breach report including a SQL string KO'd his company's helpdesk ticket system.
A pseudonymous blogger posting under the name Matt published a tortured account of what happened when a breach notification email from HIBP was ingested into his firm's helpdesk ticket system and was automatically assigned a ticket ID. The company used version 9.4.5 of the GLPi open source helpdesk system, a rather old product but quite functional.
As Matt put it: "All was well until we received an email from haveibeenpwned to our helpdesk support address, which automatically got logged as a support ticket."
When one of your email addresses is included in a breach picked up by HIBP, you can generate a report that tells you where your details were found.
GLPi 9.4.5 is vulnerable to a SQL injection flaw which just happened to be triggered by the formatting of HIBP's breach report email.