McDonald's app customers are getting their accounts hijacked by hackers who spent as much as $2,000 on enormous orders of Big Macs and nuggets

MyMcD's McDonalds appA promotional advert for Canada's MyMcD's app.McDonald's

  • McDonald's app users are being targeted by hackers who order more than $2,000 worth of meals and leave no trace.
  • The "My McD's" app in Canada can be used to pre-order food and drink for collection, and stores credit card information for payments. 
  • So far in 2019 there have been dozens of reports on Twitter, App Store reviews, and Reddit that the app  is often the target of hackers. 
  • McDonald's says it is "aware" of the reports but is "confident in the security of the app."
  • On some occasions, McDonald's Canada has refused to refund fraudulent transactions and urged users to contact their banks for compensation.
  • Visit Business Insider's homepage for more stories. 

Users of a McDonald's app in Canada are having their accounts commandeered by hackers who are using the accounts to order food for themselves, racking up bills in excess of CAD $2,000.

The scammers appear to quietly access the accounts and then make many regular-sized orders costing around $20 a time. Victims say they didn't notice the money leaving their accounts, sometimes for weeks.

Over several months, users of the My McD's app say they've been scammed and charged for orders they didn't make, and have posted screenshots of the receipts online.

big macFlickr/Emanuele

It is not clear how hackers are accessing people's accounts. McDonald's has said it is confident in the security of the app.

Most recently, Patrick O'Rourke, a technology journalist, was charged for 100 separate meals, totalling $2,000, at a branch in Montreal between April 12-18. 

"McDonald's should at least be sending out a mass email to everyone that has the account [to say], 'Hey, you should reset your password'," he told CBC.

On many occasions, including with O'Rourke, McDonald's Canada has said it would not refund the transactions, and has urged app users to seek compensation from their bank instead.

The number of people who say their accounts have been breached is increasing by the day.

McdonaldsAP Photo/Ng Han Guan

In February 2019, a hacker bought $484 of McDonald's products via the account of a woman named Lauren Taylor.

Taylor lives in Halifax, Nova Scotia, but the food was ordered from a restaurant in Quebec, more than 550 miles away. "It's amazing to see how quick someone can just breach your privacy," she told CBC,.

Read more: Leaked documents show that McDonald's is adding international hits to its American menu, including the Spanish Grand McExtreme Bacon Burger and the Dutch Stroopwafel McFlurry

MyMcD's app user Patty Duke from Ontario had $100 worth of McDonald's meals - mainly filets-o-fish - bought with her card through the app in February, she told CTV.

MyMcD's app user Brett O'Donnell was the target of scammers on January 17. He only lost $50, but told CBC that ihe missed the rogue transactions because receipt emails were landing in his spam inbox.

Mcdonalds PoutineMcDonald's Canada/Facebook

Ontario resident Brian Coleman told CBC he had $267 worth of McDonald's charged to his credit card from a branch miles away in Montreal.

"I expected them to do the refund because it was their fault," he stressed. "It's their application. If it's not secure, they should take responsibility."

Read more: McDonald's lost a 'David versus Goliath' trademark battle over Big Macs to a small Irish rival called Supermac's

Many others complained to McDonald's online.

McDonald's Canada spokesman Adam Grachnik told CBC:

"While we are aware that some isolated incidents involving unauthorized purchases have occurred, we are confident in the security of the app. We do take appropriate measures to keep personal information secure."

"Similar to other apps, we are constantly improving the My McD's App and updating it with enhancements to make the user experience as strong and safe as possible."

Business Insider contacted McDonald's Canada for comment but is yet to receive a response.

{{}}
Add Comment()
Comments ()
X
Sort By:
Be the first one to comment.
We have sent you a verification email. This comment will be published once verification is done.