McDonald's hit by a cyberattack: loyalty accounts used without customers' knowledge
On 21 May 2026, McDonald's France confirmed a credential-stuffing campaign that hijacked customer McDo+ loyalty accounts, with fraudsters draining accumulated points for free orders; no banking data was affected and the company launched a mass password reset.
- Victim
- McDonald's
On 21 May 2026, McDonald's — the fast-food chain's French operation and its McDo+ loyalty programme — confirmed a security incident in which attackers gained fraudulent access to customer loyalty accounts and spent the points stored in them without the account holders' knowledge.
The intrusion bears the hallmarks of a credential-stuffing campaign rather than a breach of McDonald's own systems: McDonald's noted that such attacks "reuse identifiers recovered from previous data leaks on other platforms." Criminals obtained or bought working McDo+ logins, then placed orders to redeem accumulated points for discounts and free products. Stolen accounts were openly traded and resold through dedicated Discord and Telegram groups, and dozens of victims surfaced on Reddit, TikTok and X.
Data and assets exposed were limited to the loyalty layer:
- McDo+ account credentials (usernames / passwords)
- Accumulated loyalty points, drained via fraudulent orders
- Account identifiers enabling unauthorised orders
McDonald's stated that no banking data or sensitive financial information was accessed, as the loyalty programme operates independently of payment systems. The company said two partners detected the unauthorised access, implemented corrective measures, launched a general reset of McDo+ credentials, and temporarily disabled some Apple Wallet and Google Wallet virtual cards. Customers were urged to change their passwords and review their order history and points balance for suspicious activity. McDonald's France has not disclosed the number of affected accounts.
Sources
- cyberattaque.orghttps://www.cyberattaque.org/mcdonalds-touche-par-une-cyberattaque-des-comptes-fidelite-utilises-a-linsu-des-clients/
- journaldugeek.comhttps://www.journaldugeek.com/2026/05/21/des-comptes-mcdonalds-pirates-en-france-vos-points-fidelite-ont-ils-ete-voles/
- economiematin.frhttps://www.economiematin.fr/mcdonalds-fuite-donnees-fidelite-programme