Millions of applicants - but security like Windows 95
If you've ever applied for a job at McDonald's, you'd better read on. Because what security researchers have uncovered at the fast food chain is nothing less than a digital nightmare: an application portal used worldwide in which the sensitive data of over 64 million people was stored - "protected" by the worst password of all time: "123456".
What sounds like a joke is reality. And not just any kind of glitch, but a ticking data bomb. Anyone who thinks that IT systems at a global corporation like McDonald's are as secure as the Fort Knox treasure trove is very much mistaken.
Chatbot Olivia & the gateway to embarrassment
McDonald's uses the McHire.com platform, operated by US company Paradox.ai, to recruit new employees worldwide. Applicants not only enter their contact details there, but also chat with the AI bot "Olivia". She happily collects personal information, asks about shift times and even analyzes personality traits.
But there was a huge hole in the digital HR department. And IT security researchers Ian Carroll and Sam Curry discovered it - almost by accident. After complaints about "Olivia" on Reddit, they investigated and discovered that the username "123456" and the equally creative password "123456" gave them full admin access. Without any tricks. Without a hack. Simply log in. Done.
Data leak deluxe: phishing made easy
With this access, the researchers were able to access all applicant data - in some cases going back years. Name, address, telephone number, email, application status, preferred working hours, chat histories, even tokens for authentication - all on a digital silver platter. According to Carroll: "Within 30 minutes, we had full access to virtually every application ever received by McDonald's."
The super-GAU: this data is a jackpot for cyber criminals. Millions of people urgently waiting for a response - perfect targets for phishing attacks or identity theft. As Sam Curry explains: "Anyone who wanted to carry out payroll fraud would have found the ideal springboard here."
McDonald's & Paradox: Quickly deleted, but too late?
Paradox.ai and McDonald's reacted quickly after the glitch became known: access deactivated, system secured, bug bounty program started. But how did it get this far in the first place? Why are "123456" logins still an issue in 2025? And how naive do you have to be to operate admin access without real security mechanisms?
IT salad for the McMenu - with extra negligence
So much for "big company, big responsibility". What happened here shows how even global players can fail at the basics. The consequences? Millions of people are at risk due to such bungling password policies. This is no trivial offense. Anyone who handles data so carelessly should be brought before a proper court - and not for stealing chips, but for a massive breach of data protection.
