The Weekly Breach Breakdown Podcast: 123456 – Weak Password Leads to McDonald’s Data Breach - S6E24

Show Transcript

Welcome to the Identity Theft Resource Center's (ITRC’s) Weekly Breach Breakdown for August 8, 2025. I'm Alex Achten, Senior Director of Communications & Media Relations of the ITRC. Thanks to Sentilink for supporting the ITRC and this podcast. Each week, we look at the most recent events and trends related to data security and privacy. Today, we are going to look at how a weak password at a large corporation led to the exposure of millions of people’s personal information, and explore good password practices.  

In the past on this podcast, we have joked about the password “123456”. It is a very weak password and, according to the 2025 Hive Systems Password Table, it would be cracked instantly by an identity criminal. This weak password provides no security, and while you’d think no one would use it today, it is still commonly used. In fact, NordPass reports that it is the most commonly used password worldwide, with a count of 3,018,050. 

That weak password recently led to a significant exposure. According to KrebsonSecurity, security researchers recently revealed that the personal information of millions of people who applied for jobs at McDonald’s was exposed after they guessed the password “123456” for the fast-food chain’s account at Paradox.ai, a company that makes artificial intelligence-based hiring chatbots used by many Fortune 500 firms. Paradox.ai said the security oversight from the McDonald’s data breach was an isolated incident that did not affect its other customers. However, recent security breaches involving its employees in Vietnam tell a more nuanced story. 

Krebs says that in July, two security researchers wrote about methods they found to access the backend of the AI chatbot platform on McHire.com, the McDonald’s website that many of its franchisees use to screen job applicants. As first reported by Wired, the researchers discovered that the weak password used by Paradox exposed 64 million records, including applicants’ names, email addresses and phone numbers. 

Paradox.ai acknowledged the researchers’ findings. However, they said the company’s other client instances were not affected, and that no sensitive information, such as Social Security numbers, was exposed. 

Krebs continued on to say that a review of stolen password data gathered by multiple breach-tracking services shows that at the end of June 2025, a Paradox.ai administrator in Vietnam suffered a malware compromise on their device that stole usernames and passwords for a variety of internal and third-party online services. 

The password data from the Paradox.ai developer was stolen by a malware strain known as “Nexus Stealer,” a form grabber and password stealer that is sold on cybercrime forums. The information stolen by groups like Nexus is often recovered and indexed by data leak aggregator services like Intelligence X, which reports that the malware on the Paradox.ai developer’s device exposed hundreds of primarily poor and recycled passwords (using the same base password but slightly different characters at the end). 

Those credentials show the developer in question at one point used the same seven-digit password to log in to Paradox.ai accounts for several Fortune 500 firms listed as customers on the company’s website, including Aramark, Lockheed Martin, Lowes and Pepsi. 

There is much more to Brian Krebs’ story on the McDonald’s data breach. You can read it in its entirety by clicking here.  

We highlight the McDonald's data breach this week because, while good password practices are regularly discussed, not everyone is adopting them. A single weak password was all it took to expose millions of records. Look no further than the NordPass report. The top five most-used passwords are: 

1. 123456 
2. 123456789 
3. 12345678 
4. password 
5. qwerty123 

All of these weak passwords can be guessed in less than one second. The ITRC recommends that people use 12+ character passphrases, unique to each account. A passphrase, unlike a single word or acronym, is a combination of words that mean something to you. It should increase the likelihood of creating unique logins for every account you own instead of reusing a single password on multiple accounts, which would put you at risk of a credential-stuffing attack. 

For example, if you graduated from Kansas State University, one of your passphrases could be “3veryManaW1ldcat!” If you made the “E” a “3”, “I” a “1” and add an “!” at the end, it would take six quintillion years to crack. That is a long time! 

Weak password practices are another reason why the ITRC believes people should switch to passkeys whenever available. When fully implemented, passkey adoption can eliminate an entire class of identity crimes. Also, they are safer. You cannot lose a passkey like a password. Identity criminals cannot steal it because it is unique to you. It is bound to a company’s website, meaning it will not work if used to log on to a fake website or during a phishing attack.   

If you want to know more about how to avoid using a weak password, protect your business or personal information or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started. 

Thanks again to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts. We will return next week with another episode of the Weekly Breach Breakdown. I'm Alex Achten. Until then, thanks for listening.