Would you like your personal data exposed because of a weak password? That’s the one question McDonald’s hiring website forgot to ask job applicants.
According to NordPass, 123456 is the most common password of 2025 so far. It was also reportedly the password of choice for Paradox.ai, the vendor behind McHire, McDonald’s automated hiring and screening platform.
Security researchers discovered a serious vulnerability in Paradox.ai’s system that allowed nearly all chat records with its AI assistant Olivia, including names, email addresses, and phone numbers, to be accessed using the default administrator email and a weak password, “123456.” Fortunately, the issue was not found by malicious hackers, and Paradox.ai responded quickly by fixing the vulnerability within an hour of being alerted.
All parties now believe that while the data was exposed, it was not accessed by bad actors. Paradox.ai has published a detailed statement, timeline, and launched a bug bounty program to encourage ethical disclosures in the future.
So, if researchers found it and the issue was fixed quickly, why does this still matter?
Reputational Damage
In many breaches, the vulnerability comes from a third-party vendor, but it is the brand that takes the reputational hit. A headline about a McDonald’s data breach draws more attention than the vendor’s name and often leads to public confusion. Casual readers may assume the breach affected customers or app users, and before long, the narrative shifts blame to McDonald’s. And while readers should look deeper, that does not always happen.
In this case, McDonald’s quickly clarified that the issue originated with Paradox.ai and called the third-party vulnerability unacceptable to get ahead of any misunderstanding.
The Importance of Third-Party Risk Management
Vendors are essential for most businesses, but each one adds third-party risk. Even if your organization has a strong security program, your vendors may not. Their risks become your own. It only takes one weak link to bring down the structure, like pulling a single card from the bottom of a house of cards. That is why a strong third-party risk management program is critical to protecting your operations, data, clients, and brand.
If you have questions about assessing your current approach or starting a third-party risk management program, contact our third-party risk management team or learn more at www.schneiderdowns.com/tprm.
Credential Security Is Everyone’s Responsibility
We often hear about complex cyber-attacks like ransomware, deepfakes, and spear phishing. But basic security flaws like weak passwords still put organizations at risk.
There is no excuse for using a password like 123456. And no, 123456789 is not better. Use a password manager and make credential security a core part of your information security program. Ask your vendors about their password policies and access controls and set clear security requirements from the first sales call. The more you understand their security posture, the better you can decide if they are the right fit for your organization.
Commit to Layered Protection and Password Security
Beyond strong passwords, implementing multi-factor authentication, regularly clearing browser and temporary files, and avoiding storage of credentials in easily accessible locations can strengthen your credential security.
It may sound basic, but simple habits still matter. It might feel outdated to remind people not to write passwords on sticky notes in 2025, but since this article is about someone using 123456 to protect administrator access on a hiring platform, I am fairly certain someone out there still has passwords written down. And no, hiding them under the desk does not make them any more secure.
If you have any questions about your cybersecurity program, vendor requirements or third-party risk, contact our team at [email protected].
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
To learn more, visit our dedicated Cybersecurity page.
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.
