Recently, a couple of hackers disclosed alarming vulnerabilities in the cybersecurity of Restaurant Brands International (RBI), which operates well-known fast food chains such as Burger King, Popeyes, and Tim Hortons. They noted significant flaws in the system, noting that their findings were so severe they commented, “We aren’t even mad, just impressed by the commitment to terrible security practices.”

The issues identified by these hackers allowed them to:

• Easily access RBI’s AWS systems
• Create new user accounts
• Elevate their permissions to administrative status
• Retrieve personal information of employees
• Order equipment from stores
• Manage store listings
• Access interfaces of store tablets
• Listen to recordings of drive-thru orders—used allegedly for training AI models.

Their blog post detailing this breach was published on September 6 but was taken down just 24 hours later after RBI filed a DMCA complaint. The hackers have made it clear that their aim isn’t to exploit these weaknesses but to highlight them for better security practices globally. In their own words, they assured, “No customer data was retained during this research. No drive-thru orders were harmed in the making of this blog post.”