Unprotected database belonging to Burger King exposes 37,900 records of Kool King Shop customers

• The exposed records include customers’ names, dates of birth, phone numbers, email addresses, passwords, voucher codes, links to the externally stored certificates, and more.
• The database also contained CRM access details for 25 Burger King administrators such as email addresses, names, encrypted passwords, and e-commerce CRM backend logs, with internal details and debug information.

A security researcher Bob Diachenko uncovered an unprotected database belonging to Burger King, that was publicly accessible, allowing anyone to edit, download, or delete the data without needing admin credentials.

What information was exposed?

The leaky database exposed almost 37,900 records of Kool King Shop customers, an online shop specifically for kids who buy Burger King menus.

• The exposed records include customers’ names, dates of birth, phone numbers, email addresses, passwords, voucher codes, links to the externally stored certificates, and more.
• The database also contained CRM access details for 25 Burger King administrators such as email addresses, names, encrypted passwords, and e-commerce CRM backend logs, with internal details and debug information.

The big picture

Bob Diachenko discovered the leaky database via a Shodan search and found out that the database was left open without any protection since at least April 24, 2019.

“I did not notice ransom notes in the database, fortunately, but that doesn't necessarily mean that it wasn't accessed by somebody else,” Diachenko said.

Upon discovery, he notified Burger King administrators about the leaky database. Burger King immediately conducted an investigation and secured the database.

“We would like to thank you for your responsible disclosure of a possible security vulnerability in our infrastructure on certain customers’ data.

Data protection is critical to Burger King and we do take these matters very seriously. All the necessary actions legally required have been taken internally and with our service provider immediately after this incident came to our knowledge to ensure the effective resolution of the problem as well as the safety of our clients’ data. We are also liaising with the relevant national authority having jurisdiction in this respect.

We wanted to keep you informed that the issue has been investigated and that such possible vulnerability is now corrected,” Burger King said in a statement, BleepingComputer reported.