Burger King Online Shop Exposes Details of 37900 Customers

• A French “kids Burger King” online shop was maintaining an unprotected database.
• The data contained includes sensitive information of thousands of customers and several employees.
• Burger King dodged a dangerous bullet that could have caused them large-scale damage.

Hungry for yet another unprotected Elasticsearch database? The usual suspect, Bob Diachenko, has discovered a juicy one for all of us. This time, the database belongs to a French online shop named “Kook King Shop”, which sells Burger King products and it’s focused on the minors market. According to the revelations, the unprotected cluster contains all of the exposed information in a plain-text form, so there’s no encryption and has been left open to all access since at least April 24, 2019, which is as long as the Shodan historical data can go back.

The number of the records reaches 37900 entries, with each of them containing names, phones, emails, passwords to login to the shop’s portal, dates of birth, voucher codes, and links to any certificates that belong to the customer. Interestingly, it is not only customers who found themselves exposed by this leak, but also 25 administrators with their full names, emails, CRM access details, and encrypted passwords. Finally, the database also contains the e-commerce backend logs with the relevant debug information. Having these emails handy, it was pretty easy for the researcher to notify them about the problematic database, so it has been taken down now.

The response of the Burger King came shortly after, and contained the following assurance:

“Data protection is critical to Burger King and we do take these matters very seriously. All the necessary actions legally required have been taken internally and with our service provider immediately after this incident came to our knowledge to ensure the effective resolution of the problem as well as the safety of our clients’ data. We are also liaising with the relevant national authority having jurisdiction in this respect. We wanted to keep you informed that the issue has been investigated and that such possible vulnerability is now corrected.”

If the database went undiscovered for longer, Burger King could have had their MongoDB servers infected with malware or ransomware, leading to problem escalation and far greater damage for them. That is for the company, but what about its customers? In this case, the clients who had their data exposed were minors, and this is an excellent chance for their parents to educate them about the importance of privacy and security online. Also, maybe Burger King will send them a free meal along with the notice of a breach that should be circulated to all 37900 of them soon.

Have any comments to make on the above? Feel free to share your thoughts with us in the comments down below, or hop to our socials on Facebook and Twitter for more daily tech news.