-
Threat leader “Eliasxy” published data sets allegedly hijacked from Burger King France and Wendy’s UK on a dark web forum, claiming sole responsibility for both breaches.
-
The researchers found the sampled data structurally legitimate, though neither company has independently verified or confirmed the breach.
-
An exposed Sentry API key in Wendy’s leaked data could give attackers a doorway into additional internal systems.
A threat actor operating under the name “Eliasxy” has surfaced on a dark web forum, posting what they claim to be stolen data from two major fast food chains, Burger King France and Wendy’s UK.
The listings appeared over the weekend, and researchers are now racing to assess what the exposure actually means for the companies and the people whose data may be caught in the middle.
Hacker Drops Data on Dark Web Forum
Eliasxy posted both listings on a popular data leak forum that cybercriminals routinely use to trade and distribute stolen records. In the Burger King France post, the actor wrote:
“Today I have uploaded the database of the Burger King France Enterprise for you to save a copy. Thanks for reading and enjoy!”
This tactic of publishing stolen corporate data on underground forums is becoming increasingly common. In January 2025 (too long ago), a French IT firm Réseau.site suffered a data breach as a hacker published user records on similar platforms, demonstrating that no industry, from fast food to technology services, is immune to these public data dumps.
The hacker attached an 11-line data sample to back up the claim. That sample allegedly contains franchise operations details, employee addresses, phone numbers, and contact emails, opening hours, delivery partner information, senior staff details, and job application data.
Eliasxy also claimed that the same developers who built a McDonald’s-related platform constructed Burger King France’s infrastructure, though they offered no evidence to support that assertion.
The Wendy’s post followed shortly after. Eliasxy announced:
“Yooo today we struck again. This time it’s Wendy’s and in the database you’ll find plenty of information such as first name, last name, address, email system used, Surface and many other details.”
The researchers who reviewed both samples confirmed that the data appear structurally legitimate and differ from previously reported exposures involving Burger King.
TorNews security team
However, the samples are small, 11 lines for Burger King France and just 5 for Wendy’s, making it difficult to gauge the full scale of what the hacker may be holding.
Researchers also noted that Wendy’s sample appears to mix records from multiple restaurants, not exclusively Wendy’s locations, leaving the true ownership of the data unclear.
Exposed API Key Raises Alarm for Wendy’s
Beyond the stolen records themselves, Eliasxy included an additional detail in Wendy’s post that caught researchers’ attention: a Sentry API key. Our researchers warned that attackers could use this key to access further internal data and systems, escalating the potential damage well beyond what the initial leak reveals.
Based on the data in sight so far, researchers say the most common risk remains “targeted phishing or imposter moves toward the affected firms and their staff.” That threat is real and immediate.
Exposed contact details, staff information, and operational data hand cybercriminals exactly what they need to craft convincing deception campaigns against employees and partners.
Fast Food Industry Faces Repeated Security Failures
This incident does not exist in a vacuum. The fast food sector has built up a troubling track record of security lapses, and this latest episode fits the pattern closely.
Burger King France itself has faced scrutiny before, with earlier findings pointing to exposed credentials and configuration weaknesses in its systems. Last year, a McDonald’s 3rd-party recruitment system made headlines after researchers discovered it was using the dangerously weak password “123456.”
The previous autumn, Malwarebytes published research exposing administrative-level access risks in drive-through tablet systems, systems linked to Restaurant Brands International, the parent company of Burger King and Popeyes, where “admin” served as the password.
The industry keeps presenting attackers with open doors, and cybercriminals keep walking through them. Eliasxy’s latest move suggests that fast food chains with European operations remain attractive and accessible targets.
We reached out to both Burger King and Wendy’s for comment. At the publication time, neither firm had verified a breach or issued any public statement acknowledging the incident.
