Baydöner Breach Exposes 3.7M Records With Plaintext Passwords

Turkish restaurant chain Baydöner has confirmed a data breach affecting 3.7 million customer records, with the stolen data now circulating on public hacking forums. The breach, which occurred around March 8, 2026, exposed names, email addresses, phone numbers, and—critically—622,000 passwords stored in plaintext.

What Was Exposed

According to data published on Have I Been Pwned and confirmed by security researchers at RedPacket Security, the breach included:

• 3.7 million customer records from the restaurant chain's database
• 1.27 million unique email addresses
• 622,000 plaintext passwords (not hashed or encrypted)
• 42,000 Turkish national ID numbers (TC Kimlik Numarası)
• Phone numbers and cities of residence
• Dates of birth for some customers

A threat actor using the handle "TurkGuvenligi" claimed responsibility and posted the data to underground forums on March 13, describing it as a "Full DB Breach."

Plaintext Passwords: A 2026 Problem

Storing passwords in plaintext is a security practice so outdated that its appearance in a 2026 breach feels anachronistic. Modern frameworks and even basic security guidance have mandated password hashing for over a decade. The fact that a business processing millions of customer records still stored credentials without any cryptographic protection suggests systemic security failures beyond this single breach.

The immediate risk: anyone who reused their Baydöner password on other accounts is now vulnerable to credential stuffing attacks. Given password reuse rates typically exceed 60%, attackers will test these credentials against banking sites, email providers, and social media platforms within hours of obtaining them.

This situation echoes the Infutor breach we covered last week, where similarly poor data hygiene practices amplified the impact of an already serious incident.

National ID Exposure Compounds Risk

For the 42,000 customers whose Turkish national ID numbers were exposed, the risk extends beyond account takeover. Turkey's TC Kimlik serves as a universal identifier used for tax filings, healthcare access, banking, and government services. Unlike passwords, national IDs cannot be rotated.

Victims face elevated risk of identity theft, fraudulent account opening, and social engineering attacks that leverage their verified personal details. The combination of name, national ID, phone number, and address provides everything needed for convincing impersonation.

Company Response

In a disclosure notice published through Turkey's Personal Data Protection Authority (KVKK), Baydöner stated that payment and financial data was not affected by the breach. The company did not address the plaintext password storage or provide details on how attackers gained access.

Baydöner operates over 200 döner kebab restaurants across Turkey and has expanded internationally. The company has not disclosed whether international customer data was included in the breach.

What Affected Customers Should Do

If you've ever created an account with Baydöner:

1. Change passwords immediately on any account where you used the same email/password combination
2. Enable two-factor authentication on important accounts (email, banking, social media)
3. Monitor for phishing attempts that reference your Baydöner account or Turkish identity
4. Check Have I Been Pwned to confirm if your email appears in the breach data
5. Watch for suspicious identity activity if your national ID was exposed—consider credit monitoring services

For readers unfamiliar with how breaches of this type typically unfold, our guide on what happens after a data breach covers the typical timeline from exposure to exploitation.

Regulatory Implications

Under Turkey's Personal Data Protection Law (KVKK), organizations that experience data breaches must notify the authority within 72 hours and take measures to mitigate damage to affected individuals. The plaintext password storage could constitute a separate violation of requirements to implement "appropriate technical measures" for data protection.

Whether KVKK pursues enforcement action remains to be seen, but the breach documentation now public makes the security failures difficult to dispute.

Why This Matters

Every breach involving plaintext passwords should be a wake-up call—not because the victim company deserves sympathy, but because it demonstrates how many organizations still operate with security practices that were inadequate a decade ago.

The Prosura insurance breach earlier this month similarly revealed fundamental security gaps at a company handling sensitive customer data. Pattern recognition matters here: if one restaurant chain stored passwords in plaintext, others likely do too.

Security teams at organizations processing customer credentials should use this incident as an excuse to audit their own password storage implementations. The cost of fixing legacy systems is always lower than the cost of becoming the next headline.