CRW

Home Wiki

Restaurant Brands International caught training AI models using customer voices

View on consumerrights.wiki ↗

Contents5
  1. Background
  2. The hack
  3. RBI's response
  4. Consumer response
  5. References

Hackers using the aliases of "BobtheHacker" and "BobtheShoplifter" posted on Reddit and Hacker News revealing that Restaurant Brands International is retaining recordings of customers' drive-thru orders and feeding it into an AI model without prior knowledge or consent. Hours later, a DMCA claim was filed by Cyble Inc against the hackers, citing misuse of their trademark and falsifying information.[1]

Background

Restaurant Brands International (also referred as RBI) is an American-Canadian fast food holding company formed in 2014 by a merge deal between burger king and Tim Horton's, eventually including Popeye's and Firehouse Subs. All of the company subsidiaries (Burger king, Tim Horton's, Popeye's, Firehouse Subs) use assistant platform process, a software that processes your order through the digital menu board or drive thru screen.

Although unknown about their agreements, Reestaurant Brand International has relationships with Cyble Inc, an cybersecurity company that handles security risks using artificial intelligence

The hack

On September 6, 2025, two hackers, “BobtheHacker” and “BobtheShoplifter”, posted on Reddit[2] and Hacker News[3] revealing an exploit that led to the discovery of Restaurant Brands International withholding an estimate 100 million saved audio recordings[4] of customers' orders and interactions throughout all of their establishments.[5][6] It is unknown how long the company has retained the audio recordings.

The image above is from a Burger King AI module website that determines metrics like the amount of order attempts, number of order that was successful, time that's most successful, and what type of orders was the most popular. The image above is of a selected drive thru option, that indicates that there was a total of 134 order attempts made, with 94 of them being successful, along with the most popular conversion rate was "size", taking around 51% of the order request chart, with an 72% on the success chart.
Burger King Employee Metrics

Along with findings of employees' personal information, it was discovered that voice recording was used to help train their AI model into determining various metrics that include:

  • Customer sentiment
  • Employee friendliness level
  • Tone feedback
  • Order success rates
  • Order processing time
  • How many times employees said “You Rule” and "Welcome"
An image showcasing an Burger king website that makes use of the AI module, determining the employee friendliness score with metrics such as the amount of conversation had, how many guest had to wait, how many times the word "welcome" and "You rule" was said throughout the entire day.
Happiness and Feedback System

RBI's response

A few hours after the exploit was publicized, a company by the name of Cyble Inc issued a DMCA claim against the hackers, claiming their use of the Burger King trademark promoted illegal activity and spreads false information about the company. In response, the hackers took down their original post to avoid engaging in an legal dispute.[7][8]

There has been no public response from Restaurant Brands International or Cyble Inc regarding the issue.

DMCA Notice From Cyble Inc.
DMCA Notice From Cyble Inc.

Consumer response

People on Reddit and Hacker News forums shared frustration at Restaurant brand International security practices, DMCA claim filed against hackers, and voice collection practices, leading to various discussions regarding legality of the situation.[2][3]

References

  1. Daniel Boctor (2025-09-07). "Burger King caught training AI on 100 MILLION customers voices!". YouTube. Archived from the original on 23 Feb 2026.
  2. 2.0 2.1 BobdaBuilder (2025-09-06). "Reddit". Reddit. Retrieved 2026-01-25.{{cite web}}: CS1 maint: url-status (link)
  3. 3.0 3.1 Bobdahacker (2025-09-06). "We hacked Burger King: How auth bypass led to drive-thru audio surveillance". Hacker News. Archived from the original on 2025-10-16. Retrieved 2026-01-25.
  4. "Burger King's AI Training Data Breach: A Deep Dive into the RBI Hack and Customer Voice Data". CyberSecurityTemple.com. 2025-12-02. Archived from the original on 16 Feb 2026. Retrieved 2026-02-08.
  5. "We Hacked Burger King: How Authentication Bypass Led to Drive-Thru Audio Surveillance". bobdahacker.com. 2025-09-06. Archived from the original on 2025-09-06.
  6. Nimofff, Lexx (2026-02-17). "Cybersecurity researchers hacked the management company of the restaurant chain Burger King". BrainTools. Archived from the original on 24 Feb 2026. Retrieved 2026-02-17.
  7. "DMCA Notice Received". bobdahhacker. 2025-09-06. Retrieved 2026-01-23.{{cite web}}: CS1 maint: url-status (link)
  8. bobdahacker@infosec.exchange (2025-09-06). "We decided to take the post down after recieving a DMCA from burger king". Mastodon. Archived from the original on 18 Sep 2025. Retrieved 2026-02-08.
Filed under