170,000 Popeyes customer accounts were exposed

Elliot Alderson
3 min readApr 11, 2021

--

Coming to the Vietnam market in 2013, Popeyes has quickly become the preferred choice of fried chicken in particular and fast food in general. Popeyes has developed its brand on many platforms such as its website, mobile ordering application, or other online delivery applications to attract and reach its customers.

Applying digital technology to businesses, Popeyes must set out information security policies for customers and businesses’ information security options. In recent times, we have received severe information about this brand: 170,000 Popeyes customer accounts of Vietnam market were exposed, including information such as email, phone number, gender, date birth, first and last name, bonus points, customer ranking. The application has more than 50,000 downloaded.

Hackers share a piece of customer data.

According to the Hacker, the leaked information comes from one or more vulnerabilities from the mobile application of “Popeyes Viet Nam.” This application allows users to create and log into accounts to make food selections, order items, pay orders, earn points to receive gifts, find shops — many exclusive offers for customers to use on the platform.

Popeyes’ customer data was exposed, containing a lot of sensitive information.

During our investigation, we learned that hackers did not share how they attacked data systems. Based on the results of partial data analysis, screenshots, we can temporarily conclude that: The technique hackers use “Reverse Engineering” to find APIs that These authentication methods or APIs do not protect have many security vulnerability IDOR (Insecure Direct Object References). This bug is one of the long-lived vulnerabilities, is in the TOP 10 of the most common vulnerabilities, and the impact level is considered very serious to the system.

We believe the API causes IDOR vulnerability, and this makes it possible for hackers to intervene in accessing anyone’s data.

Popeyes will suffer many losses because of the disclosure of customer information. With Popeyes’s privacy policy committed to, Popeyes will lose many users of its products and services and, above all, specific to your customers. Information leakage will also make it easier for the brand’s competitors to know about Popeyes’ customers, attract them to new products and services, and increase market share.

Describe IDOR vulnerability

Above all, the information leakage will also cause a lot of direct harm to the customer. More specifically, hackers have illegal access to sensitive information and personal information of any system account. From there, hackers can learn, analyze data, and target customers for profit. Besides, hackers may sell customer information to organizations, individuals with many other business areas, or competitors. Other businesses will analyze consumers’ needs and preferences and then pull them to use their products and services with ample information.

Therefore, Popeyes needs to be aware of and raise the security of his data system. Here are some options for Popeyes to handle this problem

  • Review your entire IT system to identify weaknesses that exist in the system
  • Perform testing to find security holes in your applications
  • Give notices and warnings to customers and Popeyes employees to change their passwords.

Data security is always a dilemma for Popeyes and many organizations and businesses in many other business areas. Therefore, they need to come up with strategies, plans, and solutions for corporate information security.

There was a lot of advice from information security experts, of which, Dimitri Sirota chief executive officer of cybersecurity firm BigID, shared that “Personal data is the life-blood of most organizations, and they need to better safeguard it against misuse and theft.”

--

--

Elliot Alderson
Elliot Alderson

Written by Elliot Alderson

But I'm only a vigilante hacker by night. By day, just a regular cybersecurity engineer. Employee number ER28-0652