Heinz takes the heat over saucy porn QR code

SauceWhen you reach for a bottle of Heinz Hot Ketchup, you might find yourself end up on the receiving end of the wrong kind of hot stuff.

As BBC News and Bild report, that’s what happened to German ketchup lover Daniel Korell after he found a QR code on the side of a bottle of Heinz tomato ketchup was taking him to a pornographic website.

Korell reported the issue to Heinz, informing them that their ketchup “probably not for minors.”

That’s quite a pickle Heinz found itself in, and the company offered Korell a free bottle.

Sign up to our free newsletter.
Security news, advice, and tips.

The FunDorado adult website, meanwhile, offered Korell a free membership, presumably delighted by the extra umm.. exposure.

QR code on sauce bottle

It’s worth remembering that QR codes can point to anywhere on the web. Feeble human brains don’t have a clue what a QR code is trying to say until the code is scanned, because the brain can’t read a QR code like they can a regular URL.

But in this case, it seems that Heinz failed to renew their registration of the domain name, allowing it to slip out of their hands before it was ultimately snatched up by an opportunistic x-rated site.

Maybe in future the marketing team will think it wiser to direct any future QR code through the official Heinz website, which they (hopefully) will always have control over, rather than a domain set up for a specific campaign.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Heinz takes the heat over saucy porn QR code”

  1. Paul

    That's what's always put me off scanning QR codes. It might link to anything, inclusive of malware or illegal sites. They're a bit of a fad really if you ask me, and are flawed not only because scanning one is the equivalent of using a 'glory hole' but also because it's a lost opportunity (from a marketing perspective) to promote a human-readable url to a wider audience who might not be willing or able to scan things.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.