Fast food chain McDonald’s doesn’t maintain the best password hygiene. A recruitment platform with data of millions of applicants was (not) secured with ‘123456’.
According to the lists, ‘123456’ is the most commonly used password. If an individual uses this to secure their email account, that’s already problematic, but you would expect better from a billion-dollar company. Fast food giant McDonald’s hasn’t yet grasped the rules for a strong password.
Two ethical hackers discovered by chance that a McDonald’s recruitment platform containing data of 64 million applicants was hilariously poorly secured. By randomly guessing ‘123456’ as the password, they could sign in and view personal data without any additional verification. Fortunately, they shared their findings with McDonald’s before less ethical hackers discovered this.
123456
The potential data breach was waiting to happen in McHire, an AI-powered platform on which people can apply for jobs at McDonald’s. Candidates chat with a bot called Olivia, which collects contact information and shift preferences, among other things. About 90 percent of McDonald’s restaurants reportedly makes use of the platform.
The ethical hackers decided to test the platform and concluded that it wasn’t difficult to gain unauthorized access. Both the username and password turned out to be ‘123456’. That wasn’t the only security mistake McDonald’s made.
An internal API for searching the database was also poorly secured. This meant that anyone with access to a McHire account could easily request data from millions of other applicants.
By manipulating a simple incrementing ID in the API, names, addresses, phone numbers, and email addresses of candidates could be viewed. There were also tokens available that allowed logging in as any applicant, including access to their chat history.
Data Breach Avoided
The researchers shared their findings with McDonald’s and Paradox.ai, the company that designed the platform. Both companies made the necessary adjustments, and Paradox promised additional internal controls. McDonald’s has not explained any further extra steps.
While this data breach may have been avoided, the incident raises questions about how carefully personal information is processed.