- Hard-coded passwords exposed Burger King’s fragile security infrastructure worldwide
- Hackers accessed employee accounts and internal configurations with shocking ease
- Plain-text passwords sent via email revealed careless cybersecurity practices
Restaurant Brands International (RBI), the parent company of Burger King, Tim Hortons, and Popeyes, has been called out for glaring security flaws.
Two ethical hackers, known as BobDaHacker and BobTheShoplifter, recently revealed how easily they gained access to critical systems.
Their findings, now archived after the original blog was pulled, paint a troubling picture of fast food cybersecurity.
Passwords that anyone could guess
One of the most startling discoveries was a password hard-coded in the HTML of an equipment ordering website.
This alone would have raised red flags, but the issues went further. In the drive-through tablet system, the password was simply “admin.”
Weak credentials like these are usually caught by even the most basic antivirus checks and system audits.
For a global company running over 30,000 outlets, such oversights raise serious questions about how little attention was given to digital safeguards.
The hackers explained how they accessed employee accounts, internal configurations, and even raw audio recordings of drive-through conversations.
Those recordings sometimes contained personal information as customers ordered food, which was later processed by AI systems to evaluate both staff and customers.
This access, while responsibly handled by the ethical hackers, highlights what could have happened in the wrong hands.
The exposure extended to odd corners of the business as well. The team uncovered code tied to restaurant bathroom rating screens.
Although they joked about leaving fake reviews from home, they stuck to responsible disclosure practices.
They stressed that no customer data was retained, but the scope of their findings shows how open the systems were.
The ethical hackers described RBI’s security as “catastrophic” and “solid as a paper Whopper wrapper in the rain.”
That language may be tongue-in-cheek, but the flaws were real.
They included an API that allowed anyone to sign up without restrictions and plain-text emails containing passwords.
The duo even found ways to grant themselves admin access across platforms.
These are the problems that basic ransomware protection and good malware removal policies are meant to reduce.
Yet the report shows that security fundamentals were overlooked at a corporate level, leaving every associated brand at risk.
RBI reportedly fixed the issues once informed, but the company did not publicly acknowledge the ethical hackers.
That silence leaves open the question of whether lessons will truly be learned or if this was treated as a patch-and-move-on event.
Via Toms Hardware
