A researcher calling himself BobDaHacker says a hunt for free McNuggets through McDonald’s mobile app led him to a serious McDonald’s security flaw.
The issue came from the “Feel-Good Design Hub,” a platform used by McDonald’s teams and agencies in more than 120 countries. At first, it relied on a client-side password. When Bob flagged the weakness, McDonald’s added an account-based login. But that fix was easy to bypass. By changing “login” to “register” in the URL, Bob created new accounts with full access.
From nuggets to plain-text passwords

Each new registration triggered an email with the account password written in plain text. In 2025, that kind of practice is one of the clearest signs of poor security.
Exploring further, Bob found more holes. He could view “highly confidential” marketing material and even search for any McDonald’s employee worldwide, complete with email addresses.
Reporting the issue turned into its own hack
Bob then tried to report the problem. It once had a security.txt file with contact details, but removed it months later. With no direct reporting channel left, Bob got creative.
“I called McDonald’s HQ,” he explained. “The hotline asks for the name of the person you want. So I started naming random security staff I found on LinkedIn until someone finally called me back.”
McDonald’s response
Bob says McDonald’s has fixed most of the vulnerabilities. Still, he criticized the company for failing to set up a proper disclosure process and for cutting ties with a collaborator who helped him during the investigation. Without a reliable reporting path, future researchers might walk away instead of pushing to disclose flaws.
Another McDonald’s security stumble
Just last month, another McDonald’s platform turned up with a password set to “123456.” Combined with Bob’s findings, the picture is clear: one of the world’s biggest brands still struggles with basic security.
What began as a simple quest for free nuggets ended with BobDaHacker exposing how easily McDonald’s systems could be breached. Ronald wouldn’t be lovin’ it.