A fan of the McDonald’s breakfast menu? Bad news – over 60 million job applications may be in danger thanks to the password “123456.”
The McDonald’s breakfast menu isn’t a terrible thing. Sure, the food isn’t healthy for us, but lots of people still elect to include McDonald’s in their daily routines. Some, especially people straight after high school or those craving a job at the fast food giant, also apply for jobs at McDonald’s. Those people may be at risk of identity theft.
What Happened?
The next time you’re enjoying your McDonald’s breakfast menu and thinking to apply to McDonald’s for work purposes, don’t forget to think about your online security: a pair of security researchers Ian Carroll and Sam Curry have assessed the chatbot belonging to McDonald’s and found that:
- The McHire administration interface for the owners of McDonald’s restaurants accepted “123456” as its password.
- The McHire administration interface was vulnerable to an Insecure Direct Object Reference (IDOR) attack through an internal API.
These two things have allowed the researchers to access any chats and contacts pertaining to the McDonald’s McHire platform. The researchers further stated that the default username and the default password – both “123456” – the researchers have accessed the job application area used by the developers of the McHire’s AI chatbot.
The API Gave Away Secrets
According to the researchers, once they’ve started looking into the chatbot’s API (application programming interface), they’ve noticed that there was a numeric ID assigned to each applicant and researchers could easily see applicant data. According to some news sources, the researchers could have accessed names, email addresses, phone numbers, addresses (including states), and every form the candidate had submitted to McDonald’s in hopes of getting a job.
The researchers reported the issue to Paradox.ai and the problem was solved the very next day.
Protecting Your Data
Enjoyers of the McDonald’s breakfast menu who’ve had applied for a job at McDonald’s could have faced problems if the issue wouldn’t have been quickly squashed. On the other hand, it doesn’t seem like passwords were exposed, but still: to stay safe online, you should use different passwords on every website you visit to make it harder for nefarious parties to use a password from a breach against you, and also consider using data breach search engines like BreachDirectory.com to see if your data has been exposed in any data breach or to perform investigative activities on Blockchain, IP addresses, or other data.
Besides the data breach search engine, there is the BreachDirectory API you can use for your own purposes, too: the BreachDirectory API will help you to access data in BreachDirectory through an interface.
Summary
Enjoyers of the McDonald’s breakfast menu may have had a problem on their hands: everyone who has applied for a job at McDonald’s may have had their data stolen. Thankfully, the problem was spotted by responsible researchers and quickly solved.
FAQ
Has McDonald’s Been Hacked?
McDonald’s hasn’t been hacked, however, data pertaining to millions of job applicants could have been exposed if not for security researchers. Nothing to worry about for now – enjoy your McDonald’s breakfast menu!
Why Should I Use BreachDirectory?
Consider using data breach search engines like BreachDirectory.com because such data breach search engines allow you to check whether your personal information is at risk by allowing you to search for email addresses, usernames, or IP addresses, as well as other sensitive information or help you investigate cybercrime if you’re already fallen victim to identity theft or other attacks.