Yes, it was. The personal information of approximately 64 million McDonald’s applicants was left unprotected due to login details consisting of a username and password reading ‘123456’. Last month, a couple of bounty hunters decided to test an AI-powered hiring service called McHire and successfully accessed it using simple credentials. The security researchers immediately reported the bug to both McDonald’s and the company behind the troubled AI-powered service, which screens McDonald’s employees. The vulnerability has been fixed, and at least for now, there are no known reports of misuse of the exposed data.

Key takeaways: 

  • Fast food chain McDonald’s left the details of approximately 64 million job seekers exposed, readily available for hackers to exploit. 
  • The security issue was resolved the next day, and there are no known misuses of the barely protected data.
  • Third-party providers often fail to protect customers’ data, as smaller companies are often held to not-so-strong security standards.
  • It is vital for both individuals and businesses to use strong and unique passwords.

What data was included?

The flimsy login credentials were protecting the full names, addresses, phone numbers, and email addresses of approximately 64 million applicants. The information also included the role for which people applied, as well as a chat history of all the things the candidate shared with McHire’s chatbot named ‘Olivia’. The cyber researchers managed to get in through the back end using simple credentials. They realized that any other not-so-well-intentioned hackers could have done the same thing if they were after this treasure of personal information. On a positive note, the exposed data did not include social security numbers nor payroll/banking information. 

How long did it take to resolve the issue?

The incident was dealt with entirely the next day after it was reported. The main vulnerability was amended almost immediately after the bounty hunters reported the security issue to the company powering up the AI chatbot at McHire. Both McDonald’s and the third-party vendor, Paradox.ai, confirmed that the security issue has been patched and there are no reports of misuse. Both companies pledged to do better in the future. 

Are third-party vendors to blame for all the data breaches?

Often, large corporations outsource specific IT services to third-party vendors and blame them if a security issue arises. This is the case in this instance too; the McDonald’s spokesperson openly passed the blame to the medium-sized IT company. Even though the fast-food chain’s spokesperson is probably right, it does not mean that their hands are completely clean. The data of 64 million people who trusted the McDonald’s brand and sought to advance their careers at this large corporation was improperly handled. Maintaining high cybersecurity standards is essential at any level, and such companies need to monitor, vet, and audit their partners’ work. 

Why are passwords such as ‘123456’ not a good idea?

Using one of the most common passwords in the world is unacceptable. It was used to protect data of tens of millions. This should not happen in today’s digital age. Individuals and businesses have many options for password management and IT support. This kind of issue should not be happening in 2025. Using a strong and unique password is always the best option. It should include special characters and upper- and lower-case letters. And even then, such passwords need to be changed at least once every three months due to the numerous credential leaks that occur frequently. Sometimes, organizations don’t discover a security or data breach for months or even years. So it is up to individuals to maintain adequate security protection.  

Everyone makes mistakes, and when it comes to IT, these mistakes often result in security loopholes that hackers can exploit. If caught, large corporations typically pay a fine. They often settle a few class-action lawsuits. After that, they continue business as usual. However, stolen or leaked data can haunt individuals for the rest of their lives. Large organizations, such as McDonald’s, should strive to maintain high security standards. And third-party vendors must recognize the importance of cybersecurity. This is crucial when serving tier-one clients that handle the personal information of millions of people.