## Overview: 2025 McDonald’s Security Incidents In 2025, McDonald’s faced two widely reported security incidents: a data breach involving its AI-powered hiring platform (“McHire”) built by Paradox.ai, and an app vulnerability that let users obtain unlimited free food due to a failure in server-side validation. Both incidents exposed critical weaknesses in McDonald’s application ecosystems and highlight well-known but still persistent security design failures. --- ## 1. McHire/Paradox.ai Data Breach **Background:** McHire is McDonald’s global job application platform, used by thousands of franchisees. It is powered by Paradox.ai’s conversational AI chatbot “Olivia,” which helps screen job applicants and collects personal information. **Incident Summary:** In June-July 2025, security researchers discovered that McHire’s admin portal was left shockingly unprotected: - Admin accounts were shielded by weak, unchanged credentials—specifically, one high-value account used the password “123456” since initial testing in 2019, with no multi-factor authentication.[](https://research.cgu.edu/icdc/2025/07/01/mcdonalds-july-2025-breach/) - An “insecure direct object reference” (IDOR) flaw let anyone alter applicant ID values in URLs and access other individuals’ records without authorization.[](https://research.cgu.edu/icdc/2025/07/01/mcdonalds-july-2025-breach/) - A compromised developer credential (via the “Nexus Stealer” malware) demonstrated broader poor security practices at Paradox.ai.[](https://krebsonsecurity.com/2025/07/poor-passwords-tattle-on-ai-hiring-bot-maker-paradox-ai/) **Technical Details:** - **Credential Security:** A test admin account (“[[email protected]](mailto:[email protected])”) permitted full backend access with a trivial password (“123456”). A brute force or credential stuffing attack was not even required—researchers guessed the login details based on historical leaks and naming conventions. - **Lack of MFA:** No two-factor authentication existed for sensitive admin accounts, enabling complete compromise with just a password. - **IDOR:** The API allowed direct querying of applicant records by ID. Changing the value in the request URL (e.g., `/applicants/123456`) would return the details of any other applicant, exposing names, emails, phone numbers, and chat transcripts for up to 64 million job seekers.[](https://research.cgu.edu/icdc/2025/07/01/mcdonalds-july-2025-breach/) - **Backend Access:** The backend offered account management, applicant tracking, and chat logs covering five years of job application history across North America.[](https://technologymagazine.com/articles/how-mcdonalds-ai-bot-exposed-millions-of-peoples-data) - **Incident Response:** Researchers responsibly disclosed the issues, and Paradox.ai shut down the vulnerable accounts, introduced mandatory 2FA, and launched a bug bounty program.[](https://www.malwarebytes.com/blog/news/2025/07/mcdonalds-ai-bot-spills-data-on-job-applicants) **Impact:** No confirmed evidence of criminal exploitation was reported, but the research team was able to exfiltrate PII for millions of applicants. --- ## 2. McDonald’s App: Free Food Exploit via Missing Server-Side Validation **Background:** The McDonald’s consumer app lets users order food, earn points, and redeem rewards at thousands of restaurant locations. It is one of the top food ordering apps globally. **Incident Summary:** In August 2025, hackers uncovered a bug that allowed anyone to repeatedly obtain free food via the app’s reward system: - The app’s client-side logic tracked loyalty points earned and spent. When users redeemed points, only the app (on the user’s device) checked if enough points were available, while the backend servers trusted the client’s submitted value. - By modifying network requests, users could claim excessive point balances and redeem large orders—regardless of their actual earning. **Technical Details:** - **Client-Side Validation Only:** The app failed to verify point balances server-side before authorizing reward redemptions. Attackers could intercept requests (for instance, via a proxy tool), edit their “points” value to any arbitrary number, and successfully complete transactions.[](https://www.franksworld.com/2025/08/22/mcdonalds-app-bug-unlimited-free-food/) - **API Design Flaw:** The API endpoint responsible for processing orders simply accepted the client’s claim about loyalty points, with no cross-check against server records. This created a trivial path for exploitation. - **Attack Methodology:** - An attacker set up an interception proxy such as Burp Suite or mitmproxy. - They captured the redeem order request and edited the “points” field payload (e.g., from “120” to “99999”). - The server fulfilled the order, assuming the user legitimately had enough points for repeated large redemptions. - **Disclosure/Repair:** A bug hunter published the exploit, contacted McDonald's, and the vulnerability was quickly fixed within several days after initial reports.[](https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities) **Impact:** There were confirmed cases of unauthorized free food orders via this exploit. McDonald’s patched the bug, and affected users’ accounts were reset pending security reviews. --- ## Conclusion Both incidents share a common root cause: **failure to enforce basic security principles on sensitive application processes**. Inadequate credential hygiene, lack of server-side validation, and insufficient authorization checks led to tangible impacts—exposed personal information for millions of job applicants and financial losses from manipulated loyalty rewards. **Key technical lessons:** - Always enforce strong server-side validation of any user-supplied data. - Do not trust client logic for authorization or limit enforcement. - Enforce strong credential policies (complex passwords, MFA) on all admin and development accounts. - Design APIs to prevent IDOR and privilege escalation. - Rapid incident response, disclosure, and remediation are vital in minimizing damage from such vulnerabilities. These cases serve as essential reminders for any enterprise with customer-facing and internal apps to audit and strengthen their security posture continuously.