Full Report
In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydöner stated that payment and financial data was not affected.
Analysis Summary
# Incident Report: Baydöner Customer Data Breach (March 2026)
## Executive Summary
In March 2026, the Turkish restaurant chain Baydöner experienced a significant data breach resulting in the exposure of approximately 1.3 million customer records. The compromised data, which included plaintext passwords and sensitive personal identifiers, was subsequently leaked on a public hacking forum. While financial data remained secure, the exposure of unencrypted credentials poses a high risk of credential stuffing attacks for the affected users.
## Incident Details
- **Discovery Date:** March 15, 2026 (Added to HIBP)
- **Incident Date:** March 2026
- **Affected Organization:** Baydöner
- **Sector:** Food & Beverage / Hospitality
- **Geography:** Turkey
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Not explicitly disclosed (Commonly SQL injection or misconfigured database for this type of bulk export)
- **Details:** Unauthorized actors gained access to the customer relationship management or marketing database.
### Lateral Movement
- **Details:** Not disclosed; the nature of the leak suggests a direct export of a user credentials table.
### Data Exfiltration/Impact
- **Details:** Data for over 1.2M unique email addresses (approximately 1.3M total records) was exfiltrated and uploaded to a public hacking forum.
### Detection & Response
- **Discovery:** The breach was identified following the publication of the data on a hacking forum and subsequent verification by security researchers.
- **Response Actions:** Baydöner issued a formal disclosure notice to the public and regulatory authorities.
## Attack Methodology
- **Initial Access:** Unknown (Potential exploitation of web-facing application vulnerabilities).
- **Credential Access:** Plaintext storage (Failure to use cryptographic hashing).
- **Collection:** Gathering of customer PII (names, phone numbers, Turkish IDs, DOB).
- **Exfiltration:** Transfer of 1.3M records to external hacking forums.
- **Impact:** Massive exposure of PII and usable credentials.
## Impact Assessment
- **Financial:** No direct compromise of payment or financial data reported.
- **Data Breach:** Exposure of 1.2M+ unique emails, names, phone numbers, cities, plaintext passwords, Turkish National ID numbers, and dates of birth.
- **Operational:** Minimal disruption to physical restaurant operations.
- **Reputational:** High; public exposure on dark web forums and notification services like Have I Been Pwned.
## Indicators of Compromise
- **Network indicators:** None provided in the public disclosure.
- **File indicators:** Database export files (typically .sql or .csv) circulated on hacking forums.
- **Behavioral indicators:** Large outbound data transfers from customer databases.
## Response Actions
- **Containment:** Secured the affected database/server to prevent further unauthorized access.
- **Eradication:** Not applicable to leaked data, but involves patching vulnerabilities that led to the breach.
- **Recovery:** Restoration of services and issuance of public notification via hxxps[://]www[.]baydoner[.]com/duyurular.
## Lessons Learned
- **Plaintext Storage:** The storage of passwords in plaintext is a critical failure in security architecture.
- **Data Minimization:** Excessive collection of National ID numbers and DOB for a restaurant chain increases the severity of any potential breach.
- **Proactive Monitoring:** The breach was detected post-publication, indicating a need for better database activity monitoring.
## Recommendations
- **Cryptographic Hashing:** Implement strong, salted password hashing algorithms (e.g., Argon2 or bcrypt) immediately.
- **Multi-Factor Authentication (MFA):** Encourage or mandate MFA for all customer accounts to mitigate the risk of stolen credentials.
- **Encryption at Rest:** Ensure sensitive data, specifically National IDs, are encrypted at rest.
- **Vulnerability Management:** Conduct regular penetration testing and web application firewalls (WAF) to prevent SQL injection and other common attack vectors.