McDonald's Netherlands spent Change Your Password Day telling customers to stop using "bigmac" as their password. According to Have I Been Pwned data, the term and its leetspeak variants (b1gm@c, etc.) appear in 110,922 compromised passwords. "Happymeal," "mcnuggets," and "frenchfries" aren't far behind.
It's decent password hygiene advice wrapped in a marketing campaign. What makes it notable: McDonald's learned this lesson the hard way.
In June 2025, security researchers Ian Carroll and Sam Curry accessed McDonald's McHire recruitment platform - powered by Paradox.ai's chatbot "Olivia" - using the credentials "123456"/"123456". The test account gave them admin access to a live dashboard and API endpoint. By changing applicant IDs in the browser, they could access records for an estimated 64 million job candidates.
The exposed data included names, addresses, phone numbers, emails, work history, and chat transcripts. No Social Security numbers or financial information, but enough for targeted phishing campaigns. The platform lacked multi-factor authentication.
Paradox.ai fixed the vulnerability within 24 hours of disclosure on June 30, 2025. The company maintains it was a "legacy test account" for one client instance, not live production data, and that no third party beyond the researchers accessed it. The researchers' estimate of 64 million records suggests otherwise.
The incident checks familiar boxes: third-party vendor, AI-powered platform, weak default credentials, no MFA, rapid fix after disclosure. The pattern we've seen in HR tech, facilities management systems, and government contractors.
McDonald's Netherlands is now running subway ads telling people "Ch!ck3nMcN4gg€t$" isn't a secure password. "You're lovin' it, but hackers too," the campaign warns.
They're right. Simple character substitution - @ for A, 1 for I, $ for S - stopped being effective security around 2004. Every password cracking dictionary includes these variations. If your password is based on a word that appears in any language, pop culture reference, or apparently fast food menu, it's already in an attacker's wordlist.
The real lesson isn't about menu items. It's that the same thinking that produces "bigmac123" also produces "123456" - and the latter was protecting access to 64 million applicant records at a Fortune 500 company's recruitment vendor.
Use a password manager. Enable MFA everywhere. If you're procuring HR platforms, verify the vendor's authentication controls before you hand them candidate data. The basics still matter.