Since spring 2026, dozens of McDonald’s France customers have discovered that their McDo+ loyalty points have been used by strangers to place free orders. The phenomenon, documented by several media outlets specializing in cybersecurity and widely shared on social media, does not stem from a spectacular hack of the McDonald’s database. The mechanism is both more mundane and harder to curb.
Credential stuffing: the technique behind the theft of McDo accounts
The McDonald’s loyalty accounts were not breached due to a flaw specific to the brand. According to analyses reported by ZATAZ in May 2026, attackers exploit credential databases from old leaks, coming from other online services. These email/password pairs, aggregated over the years, are tested automatically and massively on McDo+ accounts.
Recommended read : How to Reduce Your Carbon Footprint While Traveling
This method has a name: credential stuffing. An automated script tries thousands of combinations per minute on the McDonald’s login page. Each time a customer reuses the same password across multiple sites, their account becomes vulnerable, even if McDonald’s has not been directly compromised.
A Reddit user’s testimony illustrates the confusion this generates: a unique, randomly generated password, and yet the account is emptied. Several hypotheses are circulating (malware on the phone, stolen session, intercepted authentication token), but in the majority of documented cases, password reuse remains the main cause. Field reports vary on this point, as some users claim to have unique passwords without a formal explanation for the compromise.
Read also : How to Update Your Personal Information on Online Job Sites
A detailed article discusses the theft of McDo loyalty points and the techniques used by attackers to target fast food programs.
Why loyalty points interest cybercriminals
Stealing McDo points may seem trivial compared to hacking a bank account. The reality is different. ZATAZ has noted since 2024 an increase in attacks specifically targeting points programs across all sectors: fast food, airlines, hospitality, retail.
Several reasons explain this growing interest:
- Loyalty accounts are rarely protected by two-factor authentication, unlike bank accounts or messaging services.
- Victims often take weeks to notice the disappearance of their points, giving fraudsters time to act.
- Some criminal groups now specialize in point theft rather than traditional bank cards, as the perceived legal risk is lower for seemingly minor loot.
The shift is clear: loyalty points have become a parallel currency with real value in underground markets.
Reselling on Telegram: the monetization channel for stolen accounts
Once McDo+ accounts are compromised, the points are not simply used by the hacker to pay for a meal. ZATAZ documents the existence of Telegram bots and closed marketplaces where points accounts are resold at cut prices. The final buyer places an order (often for delivery) at the expense of the legitimate account holder.
This logistics is anything but artisanal. The same channels were already used to resell stolen Netflix or Spotify access. The infrastructure is well-established: a catalog of accounts sorted by points balance, payment in cryptocurrency, and almost instant delivery of the account to the fraudulent customer.
The problem for McDonald’s (and for other affected brands) is that this parallel economy makes every loyalty account monetizable, even those with a modest balance. The volume compensates for the low unit value.
Response from McDonald’s France and limitations of current measures
McDonald’s France has reacted by sending a message to its customers announcing the renewal of their loyalty ID and the deactivation of their McDo+ card in Apple Wallet and Android Wallet. The brand stated that it is “doing everything possible to ensure data protection and the security of the McDo+ account.”
In practice, this reset forces users to generate a new virtual card. As a TikTok user pointed out, creating a new account is not enough: it is necessary to request a new card number with the transfer of remaining points, otherwise the problem may recur with the same compromised ID.
The available data does not allow for a conclusion on the exact extent of the leak. McDonald’s has not provided a specific figure on the number of affected accounts. However, the increasing number of testimonies on Reddit, TikTok, and specialized forums suggests that the phenomenon exceeds an isolated incident.
Protecting your loyalty account: what really works
Protecting a McDo+ account relies on a few simple principles that are rarely applied:
- Use a unique password for each service, generated by a dedicated password manager (not just the browser’s).
- Regularly check the order history and points balance to spot any suspicious activity before the account is completely emptied.
- Enable two-factor authentication if the app offers it (which, to date, remains limited on the McDonald’s France app).
- Check if your email address appears in known leaks, using services like Have I Been Pwned.
Changing your password after each known leak from another service is the most effective gesture against credential stuffing, as it is precisely the reuse that fuels these attacks. The theft of McDo points is just a symptom of a larger problem: managing digital credentials remains the weak link in security for the majority of users.