Burger King Twitter Hacking: Take A Chill Pill

Burger King Twitter account hacked

Burger King’s Twitter account was hacked today, with the hacker turning the company’s Twitter page into an offensive mock-up of a McDonalds Twitter channel. An hour and fifteen minutes later, the account was suspended, but not before the news spread across the social media fishbowl at lightning speed.

As often happens, a huge amount of basement punditry has already begun. I’ve already had to call BS when I saw someone asserting that it took Burger King “too long” to address the situation.

Here’s what we do know:

  • The Burger King account was hacked.
  • The hacking occurred on a public holiday in the US and most of Canada.
  • It took just over an hour to pull the account down.

Here’s what we do not know:

  • If the hacker changed the password to prevent Burger King accessing the page.
  • How robust Burger King’s security processes for their social media channels are.
  • When Burger King’s team spotted the hack.
  • Whether their community manager was anywhere near a computer when this happened – who knows if their community manager was out for a hike when this happened?
  • Whether Burger King had a crisis plan for this kind of situation.
  • How long it took for Burger King to take action on their end.
  • If Burger King needed to go through Twitter to to pull the account down, how long it took them to respond.
  • When this is all over, if this will have any impact on the brand whatsoever.

What I know from my experience in these kinds of situations with large brands:

  • Situations like this are chaotic at the best of times. As Ed Truitt pointed out in a nice analogy, battle plans rarely survive the first encounter with the enemy.
  • Holidays are prime time for hackers, as response times from companies tend to be longer. It can take time to reach people who aren’t officially working.
  • The person manning one social channel may not be the same as the person manning another, meaning you may need to reach several people in order to respond.
  • An hour is not a long timeframe in which to have a channel pulled down.

The only real gap I see at this point, as pointed out to me by Kami Huyse and Sara Patterson, is the lack of any public response so far. Social media crisis plans should include pre-approved boilerplate language for social media channels and other communications channels for situations like this. With that said, we’re talking a hacking of a relatively small account here – not a major crisis like a food safety recall or a company-caused fatality. Given the frequent separation of audiences between Facebook and Twitter, the company may have considered the option of posting elsewhere, and decided against it (again, we don’t know).

My point: Let’s hold off on the basement punditry. There’s a whole lot that we do not know, and very few things that we do know. Without someone with that knowledge filling in the blanks, all we can do is speculate.

(Image: Kami Huyse)


  • RobertFrench

    In the current environment of social media, “An hour is not a long timeframe in which to have a channel pulled down.”  OK, I can agree with that.  I do not, however, think that an hour is acceptable.  If people on the provider side (Twitter, Facebook, et.al.) and proponents on the business side (major brands to anyone else) all see social media as a business model (and tout it with such glee and evangelical zeal) … then, due diligence on both sides should make these instances of hacks shorter.   It should take minutes.   Let’s not forget, social media is all about the content and ‘talking’ … it is listening, more than anything else.  I don’t believe the providers or the businesses are doing enough listening.

    • RobertFrench

      @RobertFrench Forgive me, the 2nd to last line should contain a NOT … as in “social media is NOT all about the content and ‘talking’…  Thanks.

    • @RobertFrench Hi Robert — good to hear from you; thanks for the comment.
      I do agree that a sense of urgency from social platforms is critical in these scenarios. For the sake of argument, though, given what we don’t know (above), let me run a scenario by you:
      0 mins: Hacking occurs.
      ~10 mins: Community manager gets an alert that something is up with the account as conversation spikes. Digs into what’s going on. Realizes password has been changed.
      ~15 mins: Realizes that hacking has occurred; drafts an internal alert
      ~20 mins: Alert goes out; schedules a call with crisis team per the crisis plan
      ~30 mins: Group meets to discuss next steps; it’s a quick call as they know what to do, but still takes 10 minutes to confirm all action items are covered by the people who are available
      ~40 mins: Community manager starts drafting email to Twitter
      ~45 mins: Community manager sends email to Twitter rep and follows-up with phone call
      ? mins: Twitter pulls account down
      To me, those timelines are pretty much reflective of a best-case scenario within most companies – even on a regular business day. Add a delay from people being out and about and not checking their phone for new emails constantly on a holiday, and you’re left with an even longer timeframe.
      We don’t know what happened here, or if this is any way reflective of what happened today, but as an illustration it’s very much feasible as a best-case scenario (for a brand that clearly doesn’t spend a lot of money with Twitter (just 80,000 fans for a major brand) so doesn’t get a designated rep). 
      My point here is that we’ll see all sorts of speculation from pundits who have never been in this kind of situation, and that people should take a step back before they jump to conclusions.
      Always good to see you here, sir – thanks for stopping by 🙂

      • jspepper

        @davefleet  @RobertFrench I’ll play devil’s advocate. I wonder if Burger King has ever paid for trending or a campaign on Twitter. I think Twitter shoulders some responsibility here.

        • kmskala

          @jspepper  @davefleet  @RobertFrench I would assume there has been some paid activity or at least Burger King or their agency should have a contact at Twitter.
          Dave, I disagree with your timeline, in this instance.
          As someone who works on the brand side,this would have taken me under 30 minutes to get controlled. An alert should have happened within 10-15 minutes at most. Once you get that alert, you immediately log into Twitter. If you realize your password has been changed, the next call is Twitter. You don’t need your legal team right now. You don’t need to draft an internal memo. You get on the phone and call Twitter.
          This crisis had nothing to do with a physical location or product. It’s a Twitter hack. Get the situation taken care of, then bring the crisis team into it.

        • @kmskala  I hear you, and in an ideal world that might be the case. But my general point is that there are so many variables that we just don’t know. What if the person who manages the channel works at an agency? You can be sure that they won’t pull a company’s channel down without speaking to the client. What if they’re junior, and aren’t confident or experienced enough to make that call?
          So many variables. So few answers. It’s easy to say what you would do, but without knowing the actual circumstances I don’t think people should rush to judgment.

        • @jspepper  @RobertFrench Possibly. You certainly get better service when you do pay.

          • Katherine

            The public response to the ‘Burger King Twitter Hacking’ may have not been overwhelmingly negative. I think that social media is at a point now where serious changes should be made when it comes to regulations and privacy on the web. Communications directors for organizations, brands or even for individuals should look internally at their social media networks and how they are being managed in order to prevent a hacking crisis like the one experienced by Burger King. Not only do things like this prevent a company or organization from properly distributing its message, but without proper privacy regulations, an organization’s credibility can drop after just one single tweet. I understand that the social media outlets themselves must make most of these regulation changes, but public relations practitioners and communications directors should take the time to try and remove any potential threats in the beginning. Technology is continuing to change and evolve every day. I think it is important to recognize that a hacking crisis can happen to anyone, and we must take the steps necessary to try and minimize the negative effects that result. I do not think that such problems should be ignored by the public or by the media.

  • jspepper

    Here’s the article I referenced on Facebook from The Verge: http://www.theverge.com/2013/2/18/4001722/hacked-burger-king-account-embarrasses-brand-friendly-twitter
    No punditry, but they talk about the issues with Twitter, the need for better security and verification (2 factor verification), and what this means for Twitter as they try to get more brands to pay money.
    Smart, intelligent and based on issues they know. Or, what journalism should be. 
    And in PR, there are no holidays as someone should always be alert. The fact that there’s been no comment on Facebook – an apology for the language, at least – is surprising and telling.

  • Pingback: Social Media Incidents: It’s About Having a Plan… Because “Burger King” Will Be Your Brand One Day. | Modern Insider()

  • Tod Maffin

    It’s bizarre to me just how many organizations fall victim to this kind of Twitter hack. Burger King obviously let the ball drop. A few tips that should help others not fall down this path: http://todmaffin.com/nohacks

  • Pingback: Karen’s PR & Social Media Blog » WhopperGate: Analysis & Discussion regarding Burger King’s Social Media Hacking Case()

  • And today is was Jeep that was hacked. Response time: 1.5 hours max from what I can tell from one of the Reuters/AP stories.
    I like this tweet from (the real) Jeep: “@BurgerKing Thanks BK. Let us know if you want to grab a burger and swap stories – we’ll drive.”

  • Xcite Digital

    Is bad publicity good publicity in this case? BK should’ve tightened their security measures around their account.

  • ahnas

    I think that Burger King’s
    social media management team or person should have been on top of the situation
    and fixed the problem a lot sooner, but within an hour is still a good amount
    of time. Burger King should have responded to the public for the crisis as soon
    as possible though. Not immediately responding could be interpreted by the
    public that Burger King does not care about what its Twitter account was
    tweeting, or care about it’s competitors or general public.

  • ShanLingam

    It was  <a href=”http://www.thaibreeze.ca/thai-food-delivery-platt/”>thai dishes</a> good.  The service was subpar.  I get you’re popular, but you don’t need to run it like