If you often visit cafes and restaurants, you’ve likely found yourself scanning a QR code to access the menu. They typically request your name, phone number and email address, and despite the constant concerns around data security, we rarely bat an eyelid before sharing the details because that has become a routine practice.

These QR codes that are now used widely in restaurants gained prominence during the pandemic, which necessitated contactless interactions. Ever since then, several cafes and restaurants have adopted the technology for a hassle free experience. But the potential risks associated with sharing personal details via these platforms, overshadow the convenience they provide.

Debarghya Das, an Indian-origin tech influencer on X, shared how a hacker found out the most confidential details online just through one of these QR codes.

See Also: SEBI Launches Investigation Into 6 Domestic Investment Banks Over Handling Of Small IPOs: Report

A writer, who goes by the pen name Pae Bee, shared on Substack how a random QR code in one of his neighbourhood cafes led him to DotPe’s website. Google-backed DotPe was founded in 2019 and claims to be a one-stop digital solution for restaurants — from QR to payments solutions.

Upon inspecting DotPe’s application programming interface (API) calls, the user could access private information that should’ve ideally been accessible only to the cafe’s administration and staff.

This included food items currently being ordered at the cafe, the number of times each item was ordered in the past month and even the details of the orders that the user had previously placed in the same cafe.

Things turned even murkier as the user gained access to more sensitive details upon a little more digging. The writer says they could retrieve information like customers’ names , phone numbers and their order details.

“37,529 restaurants use DotPe for QR codes. These include big chains like Starbucks, Pizza Hut, Haldiram’s, Social, Barista, and Paradise Biryani,” the article said.

While most have moved on from the pandemic-induced practice, other restaurants like Social were still using them. This led the writer to access the restaurant’s annual earnings from its dine-in business.

The writer has now taken down their post after being served a legal notice by DotPe, they said in a post on X.

“Sorry guys – have taken the post down due to a legal notice from Dotpe. I could fight them because I didn’t access anything that wasn’t already public. But it’s not worth the hassle,” they said.

Read Next: Tata Motors, ONGC Worst Performers In Nifty’s 38-Day Sprint To 26,000