McDonald’s France has confirmed that attackers accessed customer loyalty account information after a breach affecting partners tied to its McDo+ rewards program.
The incident led to widespread fraud in which stolen loyalty points were reportedly used to place unauthorized food orders across France.
The breach came to light after numerous McDonald’s France customers began receiving emails notifying them that their McDo+ loyalty identifiers had been reset “as a security measure.” Screenshots shared online by affected users show the company informing customers that their digital loyalty cards stored in Apple Wallet and Android Wallet had been disabled and replaced with new identifiers.
French technology outlet 01net first reported on the incident after discovering unauthorized activity on a staff member’s own McDo+ account. According to the report, loyalty points accumulated over several months were redeemed for an order placed at a McDonald’s restaurant in Nice, roughly 940 kilometers from the account owner’s location.
A growing number of similar complaints soon appeared on Reddit, TikTok, and X, where customers reported missing loyalty points and fraudulent orders tied to their accounts.
McDonald’s is one of the largest fast-food chains in France, operating more than 1,500 restaurants nationwide through a mix of corporate and franchise locations. Its McDo+ loyalty program is widely used through the company’s mobile app, allowing customers to accumulate points redeemable for free menu items and discounts.
Cybercriminals openly advertised stolen McDonald’s loyalty accounts on Telegram and Discord channels. These accounts allegedly contained valid loyalty identifiers and available reward balances that buyers could use to redeem food orders at self-service kiosks inside restaurants. Videos circulating on TikTok showed individuals demonstrating how to place “free” orders using compromised accounts that did not belong to them.
The fraud scheme appears to have relied on access to valid loyalty account identifiers rather than payment card theft. Buyers could reportedly either scan a compromised account barcode or manually enter the stolen loyalty ID at restaurant kiosks to redeem points attached to victims’ accounts.
In a statement to 01net, McDonald’s France confirmed that two external partners involved in the loyalty program recently detected “attempts to access customer information.” The company said it took immediate action to secure the affected environment.
“McDonald’s France and its partners take data protection very seriously,” the company stated. “No sensitive or financial data was accessed.”
However, the scale of customer complaints suggests attackers successfully accessed at least some loyalty account data, even if payment information was not compromised. McDonald’s has since initiated a forced reset of customer loyalty identifiers to prevent further abuse.
Customers using McDo+ are advised to review their recent loyalty activity, monitor for unauthorized orders, and reset passwords associated with their McDonald’s accounts. It’s also recommended to enable multi-factor authentication whenever available and to avoid reusing passwords across services.
Leave a Reply