Famous fast food chain Burger King has reportedly emailed thousands of its customers with a blank order email receipt.
The blank emails started appearing around 12:15 AM Eastern Standard, leaving the customers confused about whether the fast food giant had been breached by a hacker attempting to order something off the menu or if the emails were just an honest mistake from an employee.
Burger King’s Blank Receipts
According to The Verge, several Twitter users immediately turned to the social media network as they were confused over their blank emails.
Some customers claimed that they got two Burger King emails. The order emails were blank, and the sender was Burger King’s promotional marketing email address.
There is no indication that the fast food giant has been breached, according to Fortune.
A lot of customers who have received the blank emails do not even remember creating an account, so it could just be a system change that went wrong and blasted out blank orders to Burger King’s entire marketing database.
Burger King’s Data Breach
This is not the first time that Burger King has faced issues with its security.
In 2019, 37,900 records of Kool King Ship customers were discovered by an unprotected Elasticsearch cluster. The online shop is tailored to be used by children who bought Burger King menus.
Bob Diachenko, a Security Discovery researcher, discovered that the data was leaked because the database storing it was misconfigured, allowing anyone to find it to get to the records stored within, according to Bleeping Computer.
Since the database was not secured, anyone who reached it could edit it, download it, or even destroy it without admin credentials.
According to the research, the databases contained plain text data, which was left out in the open since April.
The member records in Burger King’s online ship contained personally identifiable information like emails, passwords, names, phone numbers, date of birth, voucher codes, and links to stored certificates.
Aside from finding the thousands of leaked member records, Diachenko also discovered the CRM access details for 25 administrators of the Burger King staff. The details include names, emails, and passwords.
In addition, the data leak also included some extra information in the form of e-commerce CRM backend logs, with debug information and internal details.
Since 2019, ElasticSearch databases have leaked more than 108 million bets at different online casinos exposing the PII data, sensitive legal documents, and profiles of 33 million Chinese people looking for a job.
Also, more than 114 million records of US citizens and companies and over 32 million records of SKY Brazil customers were affected by the data leaks that were caused by unsecured ElasticSearch databases in 2018.
As the developers of ElasticSearch detailed in 2013, the servers are never to be exposed to the Internet, seeing that they can only be accessed on the internal network.
Elastic also advises the administrators to set passwords for the server’s built-in users to secure the stack of ElasticSearch by implementing measures for encrypting communications, role-based access control, auditing, and IP filtering, as well as to configure the ElasticSearch installation before deployment.
Written by Sophie Webster