It’s unclear if there is one mysterious Hamburglar hacker or multiple scammers, but for months, users of the Canadian McDonald’s app, “My McD’s,” have been complaining about someone gaining access to their accounts to fuel their feeding frenzies.
Last week, Canadian journalist Patrick O’Rourke, managing editor of Mobile Syrup, became the latest known victim of this scam and published an account of his experience. Somehow a hacker gained access to his My McD’s account, which was attached to his Mastercard. The app had a transaction failure the first two times O’Rourke tried to use it, he said, so he gave up on it. But over the next two weeks, someone else used it for their McBender—spending $2,034 CAD ($1,509 USD) on more than 100 meals of Big Macs, McFlurries, Chicken McNuggets, and poutine.
Some purchases happened within minutes of each other. O’Rourke speculated to the CBC that perhaps one person hacked his account then “shared it with a bunch of his friends across Montreal, and they all just went on a food spree.”
Reached for a request for comment, McDonald’s sent Gizmodo a statement similar to what it shared with O’Rourke. “While we are aware that some isolated incidents involving unauthorized purchases have occurred, we are confident in the security of the app,” the statement reads. “We do take appropriate measures to keep personal information secure. McDonald’s also does not store credit card information as My McD’s app only holds a ‘token’ with the payment provider to allow purchases.”
The statement also recommends users be “diligent online by not sharing their passwords with others, creating unique passwords and changing passwords frequently.”
As O’Rourke points out in his piece, this statement from McDonald’s suggests that a major cause for the breaches is weak passwords. But since O’Rourke found dozens of tweets about similar My McD breaches, he is suspicious about the company blaming users’ password practices. He thinks it’s likely a security flaw in the app is allowing hackers to breach people’s accounts.
When O’Rourke complained to customer service, the agent reportedly asked him to read the dozens of fraudulent transactions aloud over the phone, then told him McDonald’s couldn’t help and his bank was responsible. His bank refunded the money, after initially telling him their fraud department could possibly conclude McDonald’s is responsible for reimbursement of stolen funds.
Another victim who was reportedly defrauded through breaches of his My McD’s apps told the CBC that McDonald’s also told him his credit card company was responsible for the refund.
“I find it pretty shocking that a massive company like McDonald’s wouldn’t just take responsibility for something like this,” O’Rourke told CBC. “They have more than enough money to be reimbursing people for these issues.”
McDonald’s told Gizmodo it is “constantly improving the My McDs app and updating it with enhancements to make the user experience as strong and safe as possible.” But in the meantime at least, a good way to avoid buying munchies for a hacker is to keep this app off your phone.