Burger King hacked - ethical hackers crack fast food security, and find it's as fragile as a French fry

News
By published

The hackers found catastrophic flaws hiding in Burger King systems

Burger King
(Image credit: Burger King on Facebook)
  • Hard-coded passwords exposed Burger King’s fragile security infrastructure worldwide
  • Hackers accessed employee accounts and internal configurations with shocking ease
  • Plain-text passwords sent via email revealed careless cybersecurity practices

Restaurant Brands International (RBI), the parent company of Burger King, Tim Hortons, and Popeyes, has been called out for glaring security flaws.

Two ethical hackers, known as BobDaHacker and BobTheShoplifter, recently revealed how easily they gained access to critical systems.

Their findings, now archived after the original blog was pulled, paint a troubling picture of fast food cybersecurity.

Passwords that anyone could guess

One of the most startling discoveries was a password hard-coded in the HTML of an equipment ordering website.

This alone would have raised red flags, but the issues went further. In the drive-through tablet system, the password was simply “admin.”

Weak credentials like these are usually caught by even the most basic antivirus checks and system audits.

For a global company running over 30,000 outlets, such oversights raise serious questions about how little attention was given to digital safeguards.

The hackers explained how they accessed employee accounts, internal configurations, and even raw audio recordings of drive-through conversations.

Those recordings sometimes contained personal information as customers ordered food, which was later processed by AI systems to evaluate both staff and customers.

This access, while responsibly handled by the ethical hackers, highlights what could have happened in the wrong hands.

The exposure extended to odd corners of the business as well. The team uncovered code tied to restaurant bathroom rating screens.

Although they joked about leaving fake reviews from home, they stuck to responsible disclosure practices.

They stressed that no customer data was retained, but the scope of their findings shows how open the systems were.

The ethical hackers described RBI’s security as “catastrophic” and “solid as a paper Whopper wrapper in the rain.”

That language may be tongue-in-cheek, but the flaws were real.

They included an API that allowed anyone to sign up without restrictions and plain-text emails containing passwords.

The duo even found ways to grant themselves admin access across platforms.

These are the problems that basic ransomware protection and good malware removal policies are meant to reduce.

Yet the report shows that security fundamentals were overlooked at a corporate level, leaving every associated brand at risk.

RBI reportedly fixed the issues once informed, but the company did not publicly acknowledge the ethical hackers.

That silence leaves open the question of whether lessons will truly be learned or if this was treated as a patch-and-move-on event.

Via Toms Hardware

You might also like

Efosa Udinmwen
Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.