On September 6, two hackers published a blog claiming they’d uncovered “catastrophic” cybersecurity flaws at Burger King, which Restaurant Brands International owns. Their post alleged broad AWS access, admin-level control, and drive-thru audio exposure before it was taken down after an RBI DMCA complaint.
Tom’s Hardware report, linked to the hackers’ write-up, summarized the claims. The two authors, who call themselves BobDaHacker and BobTheShoplifter, posted detailed steps and findings on the hackers’ original blog and wrote, “We’re not even mad, just impressed by the commitment to terrible security practices.” They called the setup catastrophic. If accurate, the access could allow an intruder to add stores, purchase equipment, modify settings, and listen to customer recordings reportedly used to train an AI model.
Their post listed a wide range of access. The claims included:
- Easily access to RBI’s Amazon Web Services (AWS) systems.
- Create new user accounts.
- Promote themselves to admin status.
- Access employees’ personal information.
- Order store equipment.
- Add and manage stores.
- Access store tablet interfaces.
- Access voice recordings of customers ordering at the drive-thru, which the pair allege are being used to train an AI model.
The original blog went live and was removed within 24 hours after RBI issued a DMCA complaint; an archived copy remains available at an archived copy on the Wayback Machine.
According to the hackers’ account, RBI moved to address at least some of the problems they reported, and the authors said they followed responsible disclosure protocols, though they also said RBI did not respond directly to them or publicly comment on specific vulnerabilities. That mix of swift patching claims and a legal takedown notice leaves some uncertainty about what remains unresolved. The claim that drive-thru recordings were exposed raises particular privacy concerns that merit a clear statement from RBI.
Items from the hackers’ post were dramatic, but the write-up includes the claim that no customer data was retained during the research. The pair signaled they intended to highlight weak security rather than profit from it, and they closed with a light-hearted aside about preferring Wendy’s. Whether regulators or outside security teams will examine RBI systems more deeply now is unclear.
Tell us what stood out in the comments on X and Bluesky and whether those handling the incident responded quickly enough after the takedown.