Stale admin account with ‘123456’ password gives McDonald’s a security scare

Interacting with a chatbot as part of a hiring process feels somewhat dystopian from a candidate’s perspective. In this case, there was almost an added twist when candidate data was nearly exposed thanks to weak cybersecurity controls from the chatbot vendor. In late July 2025, independent security researchers Ian Carroll and Sam Curry uncovered a critical vulnerability in McDonald’s AI-powered hiring chatbot “Olivia.” The chatbot was being used by the fast food giant on its McHire.com recruitment platform.

Developed and maintained by Paradox.ai, it was designed to streamline candidate screening, automate resume reviews, collect contact information, and conduct preliminary personality testing. However, the platform’s backend was linked to an administrator account still secured with the default password 123456, unchanged since 2019, and guarded by no multi-factor authentication.

How a weak ‘123456’ password opened the door

Carroll and Curry discovered the flaw while performing an ad hoc security review prompted by widespread user complaints about Olivia’s performance. After only a handful of trial login attempts, they successfully logged in using 123456 as both the username and password. This credential granted administrative interface access that, if fully explored, could have exposed over 64 million chat records stored on the platform. The researchers responsibly spot-checked a small sample of IDs and accessed seven records (five containing real applicant data) before disclosing the issue to Paradox.ai and McDonald’s, who remediated the vulnerability the same day it was reported.

It seems hard to believe that a vendor with such a high-profile client would allow “123456” to be used to guard an admin account protecting customer information. But in our 2025 Weak Password Report, “123456” ranks as the most common malware-stolen password worldwide. When cybercriminals run brute-force or credential stuffing campaigns, they’re likely to find success with the most common and basic passwords.

Continuously block 4 billion+ compromised passwords in your Active Directory

Missing multi-factor authentication

Passwords alone aren’t enough – this is basic cybersecurity advice and recommended in any regulation worth its salt. In this case, the “123456” password was the single layer of authentication needed for the researchers to gain access to a critical admin account and pivot to internal systems.

A phishing-resistant mobile authenticator app could have stopped the unauthorized access in this case. It’s fortunate for McDonalds and Paradox.ai that researchers found this account rather than malicious actors.

Secure your Active Directory access with MFA for Windows logon, VPN & RDP.

The risk of stale/inactive admin accounts

Another glaring oversight is that the compromised account had been inactive since 2019, yet it was never decommissioned. You would hope that admin accounts in active use had better security practices in place. But this counts for nothing if you have dormant accounts with weak security sat around waiting to be compromised. Stale or inactive accounts are a problem in many organizations:

• Accounts can be forgotten when people leave organizations or switch teams. Sometimes test accounts are created then never deleted.
• They accumulate across the enterprise – on servers, legacy applications, cloud consoles.
• They often retain their privileges.
• They’re rarely monitored.

Interested to know how many stale/inactive accounts are in your Active Directory? Try our free tool, Specops Password Auditor, for a read-only Active Directory scan and exportable report.

Are compromised passwords lurking in your AD? Audit your AD with our free tool!

Lessons learned from McDonald’s security scare

The McDonald’s incident illustrates five key lessons organizations should take away:

1. Weak passwords are still exploitable. “123456” is not a relic of the past, it’s the #1 stolen password according to Specops research. Block it! Enforce password policies that don’t allow “123456,” “password,” or any other common, weak passwords.
2. MFA isn’t optional. Every high-value account must have at least two factors. But really, all accounts should have MFA. Mandate MFA for all administrative, service, and remote-access accounts to block unauthorized access.
3. Account lifecycle management matters. Disable or delete any administrative account that goes dormant. Schedule regular scans for inactive, expired, or orphaned accounts and promptly disable them.
4. Create custom dictionaries. Words and phrases common to your business or industry should also be blocked. The password involved in the infamous SolarWinds hack was ‘solarwinds123’.
5. Educate IT staff. Even seasoned administrators sometimes fall back to the easiest choice under pressure – research has found ‘admin’ at the top of administrator password lists. Make sure all employees understand the risks.

Proactively protect with Specops

After being notified by Paradox.ai, McDonald’s security team immediately disabled the vulnerable admin account and rolled out MFA for all AI-related interfaces. They also launched a company-wide audit to decommission any stale credentials. While no evidence suggests data exfiltration beyond the proof-of-concept access, Paradox.ai has since launched a bug bounty program to encourage ongoing security research and prevent future lapses.

But rather than retrofitting after an incident, it’s best to adopt a proactive posture and take action today. Specops Password Policy sits directly in Active Directory to block weak and compromised passwords, automatically rejecting strings like “123456” and continuously scanning for over 4 billion compromised credentials. Don’t get caught off guard by a six-character slip-up – book a live demo today.