Image by M. Rennim, from Unsplash
Burger King and Other RBI Brands Hacked, Security Called ‘As Solid As A Paper Whopper Wrapper’
Reading time: 2 min
Last Updated: Sep 9, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Ethical hackers discovered catastrophic cybersecurity weaknesses in Burger King, Tim Hortons, and Popeyes systems, exposing employee accounts, drive-thru recordings, and weak security practices worldwide.
In a rush? Here are the quick facts:
- Vulnerabilities allowed access to employee accounts, ordering systems, and drive-thru audio recordings.
- Hackers found hard-coded passwords and weak API protections across all assistant platforms.
- Passwords were stored in plain text and admin access could be easily obtained.
Ethical hackers BobDaHacker and BobTheShoplifter claim to have uncovered “catastrophic” vulnerabilities in systems run by Restaurant Brands International (RBI), the company behind Burger King, Tim Hortons, and Popeyes.
The worldwide fast-food chain operates through shared platforms, which the hackers identified as having severe security weaknesses, even though they manage 30,000 locations. The BobDaHacker blog described the security measures as “as solid as a paper Whopper wrapper in the rain,” as noted by Tom’s Hardware (TH) who first reported this story
The security flaws enabled the hackers to gain access to employee accounts, ordering systems, and listen to recorded drive-thru conversations. The ethical hackers received no response from RBI after they properly notified the company about the security issues, as explained by TH.
All three brands’ assistant platforms shared identical security vulnerabilities. TH reports that a hacker who gained entry to the system could modify employee accounts, manage store devices and equipment, distribute alerts to locations, and perform additional actions.
The vulnerabilities were discovered through a combination of careless API configurations and GraphQL introspection. The hackers found a signup endpoint that bypassed email verification, revealing passwords in plain text.
“We were impressed by the commitment to terrible security practices,” they wrote, as reported by TH. Using a GraphQL mutation called createToken, they could “promote ourselves to admin status across the entire platform.”
Additional security blunders included hard-coded passwords on store tablet interfaces and equipment ordering systems, sometimes set simply as ‘admin.’
TH reports that the hackers gained access to complete unprocessed audio recordings of drive-thru orders, which sometimes contained personal information. The hackers gained access to bathroom rating screen systems, yet they chose not to modify them.
The BobDaHacker blog emphasized that “no customer data was retained during this research,” following responsible disclosure practices, as reported by TH.
This exposé highlights serious risks across major fast-food chains and underlines the importance of robust cybersecurity practices in global enterprises.
Previous Story
Latest articles 
