‘Hamburglar’ hacker targets McDonald’s app to steal thousands in food

McDonald's

BTW

A growing number of people who use the McDonald’s app are reporting having their accounts hacked and used to buy food.

Just last week Patrick O’Rourke, a Canadian journalist and managing editor of Mobile Syrup, revealed that he too had fallen victim to what some are calling the Hamburglar hacker.

O’Rourke says the incident began after he attempted to make a purchase on the McDonald’s app in Canada, known simply as “My McD’s,” but had his order declined. After forgetting about the app, which holds users’ credit card details, O’Rourke says he began to notice strange activity two weeks later.

The account suddenly began acquiring food “from various McDonald’s locations across Montreal, Quebec,” costing O’Rourke $2,000 CAD or $1,509 USD. Numerous purchases were made within minutes of one another, O’Rourke added, fueling speculation that his account details may have been shared with numerous people.

After contacting McDonald’s to dispute the more than 100 meals purchased, O’Rourke says he was told to take the issue up with his bank. And although he did eventually receive a refund, O’Rourke told CBC that McDonald’s reaction was subpar given the severity of the issue.

“To me, it just seems like a little bit negligent… like they don’t really care,” O’Rourke said. “McDonald’s should at least be sending out a mass email to everyone that has the account [to say], ‘Hey, you should reset your password.'”

McDonald’s Canada responded to the issue by telling CBC that it believed O’Rourke’s case was part of only a few “isolated incidents” involving app accounts being breached.

“If guests notice any unauthorized purchases, we recommend they contact their bank and change their password immediately,” spokesperson Adam Grachnik told CBC.

O’Rourke, however, was able to find numerous instances on Twitter of Canadian individuals who similarly had their accounts compromised.

When questioned about the security of its app, McDonald’s Canada defended its product.

“Similar to other apps, we are constantly improving the My McD’s App and updating it with enhancements to make the user experience as strong and safe as possible,” said Grachnik.

It remains unclear how exactly account credentials are being accessed. In a statement to Gizmodo, McDonald’s Canada added that users should be “diligent online by not sharing their passwords with others, creating unique passwords and changing passwords frequently.”

Despite the fast food giant’s assurances, O’Rourke argues that the company’s response is troublesome.

“I find it pretty shocking that a massive company like McDonald’s wouldn’t just take responsibility for something like this,” O’Rourke said. “They have more than enough money to be reimbursing people for these issues.”

READ MORE:

Mikael Thalen

Mikael Thalen

Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.