Ethical hackers **BobDaHacker** and **BobTheShoplifter** exposed severe security vulnerabilities within **Restaurant Brands International (RBI)**, the parent company of Burger King, Tim Hortons, and Popeyes. The flaws included **hard-coded passwords** (e.g., 'admin') in HTML and drive-through systems, **plain-text passwords sent via email**, and an **unrestricted API** allowing unauthorized admin access. The hackers gained entry to **employee accounts, internal configurations, raw audio recordings of drive-through conversations** (containing customer personal data processed by AI), and even **restaurant bathroom rating systems**. The breaches revealed **catastrophic oversight** in cybersecurity fundamentals, with no basic safeguards like antivirus checks or system audits. While the ethical hackers responsibly disclosed the issues and confirmed **no customer data was retained**, the exposure demonstrated how easily malicious actors could have exploited these gaps. RBI reportedly fixed the vulnerabilities post-disclosure but did not publicly acknowledge the researchers, raising concerns about long-term security improvements. The incident underscores systemic negligence in protecting **30,000+ global outlets** from potential data leaks, financial fraud, or operational disruptions.
TPRM report: https://www.rankiteo.com/company/restaurant-brands-international
"id": "res1202112091125",
"linkid": "restaurant-brands-international",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Fast Food / Hospitality',
'location': 'Global (30,000+ outlets)',
'name': 'Restaurant Brands International (RBI)',
'size': 'Large Enterprise',
'type': 'Parent Company'},
{'industry': 'Fast Food',
'location': 'Global',
'name': 'Burger King',
'type': 'Subsidiary'},
{'industry': 'Fast Food / Coffee',
'location': 'Primarily Canada/US',
'name': 'Tim Hortons',
'type': 'Subsidiary'},
{'industry': 'Fast Food',
'location': 'Global',
'name': 'Popeyes',
'type': 'Subsidiary'}],
'attack_vector': ['Hard-coded Credentials',
'Plain-text Passwords in Emails',
'Unrestricted API Access',
"Default/Weak Passwords (e.g., 'admin')"],
'data_breach': {'data_encryption': 'No (passwords stored in plain-text)',
'data_exfiltration': 'No (ethical hackers did not retain '
'data)',
'personally_identifiable_information': 'Potential (in '
'drive-through audio '
'recordings)',
'sensitivity_of_data': 'Moderate to High (includes PII in '
'audio recordings and system access '
'credentials)',
'type_of_data_compromised': ['Employee credentials',
'Internal configurations',
'Audio recordings (potential '
'PII)',
'Operational data']},
'description': 'Hackers accessed employee accounts and internal '
'configurations with shocking ease due to weak security '
'practices at Restaurant Brands International (RBI), the '
'parent company of Burger King, Tim Hortons, and Popeyes. '
'Ethical hackers BobDaHacker and BobTheShoplifter discovered '
"hard-coded passwords (e.g., 'admin'), plain-text passwords "
'sent via email, and unsecured APIs that allowed unrestricted '
'access. The vulnerabilities exposed internal systems, '
'employee accounts, drive-through audio recordings (containing '
'customer PII), and even restaurant bathroom rating screens. '
"The hackers described RBI’s security as 'catastrophic,' "
'highlighting systemic neglect of basic cybersecurity '
'fundamentals. RBI reportedly fixed the issues after '
'disclosure but did not publicly acknowledge the ethical '
'hackers.',
'impact': {'brand_reputation_impact': 'High (public exposure of systemic '
'security failures across global '
'brands: Burger King, Tim Hortons, '
'Popeyes)',
'data_compromised': ['Employee account credentials',
'Internal system configurations',
'Drive-through audio recordings (potential '
'PII)',
'Restaurant operational data (e.g., bathroom '
'rating screens)'],
'identity_theft_risk': 'Moderate (drive-through audio recordings '
'may contain customer PII)',
'operational_impact': 'High (potential for unauthorized access to '
'critical systems, customer data exposure, '
'and operational disruption)',
'systems_affected': ['Equipment ordering website',
'Drive-through tablet systems',
'AI-powered customer/staff evaluation systems',
'Restaurant management APIs',
'Bathroom rating screens']},
'initial_access_broker': {'data_sold_on_dark_web': 'No',
'entry_point': ['Hard-coded password in HTML',
"Default 'admin' password in "
'drive-through tablets',
'Unrestricted API signup'],
'high_value_targets': ['Employee accounts',
'Internal configurations',
'Drive-through audio systems',
'Restaurant management '
'APIs']},
'investigation_status': 'Completed (by ethical hackers; RBI applied fixes but '
'no public report)',
'lessons_learned': 'Systemic neglect of basic cybersecurity practices (e.g., '
'hard-coded passwords, plain-text credentials, '
'unrestricted APIs) can expose global enterprises to '
'severe risks. Ethical hacking revealed critical gaps in '
'access controls, credential management, and operational '
'security across RBI’s brands.',
'motivation': 'Ethical Hacking / Responsible Disclosure',
'post_incident_analysis': {'corrective_actions': ['Patches applied to '
'reported vulnerabilities '
'(per RBI)',
'No public confirmation of '
'broader security overhaul '
'or policy changes'],
'root_causes': ['Lack of basic cybersecurity '
'hygiene (e.g., hard-coded '
'passwords, plain-text '
'credentials)',
'Absence of access controls (e.g., '
'unrestricted API access)',
'Inadequate system audits and '
'vulnerability assessments',
'Poor credential management '
'practices',
'Corporate neglect of security '
'fundamentals despite global '
'scale']},
'recommendations': ['Implement robust password policies and multi-factor '
'authentication (MFA)',
'Eliminate hard-coded credentials and enforce encryption '
'for sensitive data',
'Conduct regular security audits and penetration testing',
'Restrict API access with proper '
'authentication/authorization',
'Establish a transparent vulnerability disclosure program',
'Train employees on secure credential handling and '
'phishing risks',
'Monitor dark web for exposed credentials or system '
'access'],
'references': [{'source': 'Tom’s Hardware'},
{'source': 'Ethical Hackers’ Blog (Archived)'}],
'response': {'communication_strategy': 'No public acknowledgment of ethical '
'hackers or incident details',
'containment_measures': ['Patch applied to vulnerabilities '
'(reportedly)'],
'incident_response_plan_activated': 'Yes (after ethical hacker '
'disclosure)'},
'threat_actor': ['BobDaHacker (Ethical Hacker)',
'BobTheShoplifter (Ethical Hacker)'],
'title': 'Hard-coded passwords exposed Burger King’s fragile security '
'infrastructure worldwide',
'type': ['Unauthorized Access', 'Data Exposure', 'Weak Authentication'],
'vulnerability_exploited': ['Hard-coded passwords in HTML/APIs',
'Lack of password encryption',
'Missing access controls',
'Poor credential management']}