More than 64 million job applications were tied to chat interactions that researchers could view after they accessed a test "restaurant" environment in McHire, a 2025 discovery that underscores a simple truth: a forgotten or poorly handled credential can expose large volumes of sensitive data in a single misstep.
Why email, SMS, and phone introduce exposure during onboarding
Onboarding is hectic: devices, accounts, access permissions and passwords must all arrive within a tight timeframe. The most common fix — sending a temporary, “first-day” password over email or SMS — is quick and convenient, but the source material makes clear how that convenience creates risk. Messages can be intercepted, forwarded, or opened on unsecured devices, any of which hands an attacker immediate access to corporate systems.
Verbal delivery — in person or by phone — avoids some digital interception risks but introduces operational friction. Coordinating live handoffs adds delays and often pushes managers or third parties into the chain of custody. The more hands that touch a password, the greater the chance it will be mishandled or disclosed. Neither method scales securely; temporary credentials intended as a short-term convenience routinely outlive that intent.
Specops First Day Password and a different onboarding flow
One cited alternative is Specops First Day Password, offered as part of Specops uReset, which removes the need to distribute a first-day password at all. Under that model, new hires do not receive a temporary credential in plain text. Instead, they set their own password through a controlled enrollment process.
Enrollment can be initiated via a personal email, text message, or a “reset my password” option on a domain-joined device. After verifying identity with a personal email address or mobile number, users create a password that already meets the organization’s policy requirements. The approach aims to reduce the attack surface created by intercepted or mishandled onboarding credentials while keeping the process fast and self-service for IT and new employees alike.
When temporary passwords become permanent weaknesses
Temporary onboarding credentials are supposed to be transient, but the reality described in the source is different. Busy users can miss the step to change a default password. Onboarding workflows may fail to enforce a reset. Bulk-generated or simple seed passwords designed for speed can remain active unnoticed.
That persistence matters because first-day passwords are rarely constructed with long-term security in mind: they tend to be simpler, predictable, or reused. When left in place, those credentials become low-effort entry points for attackers seeking access to corporate systems and sensitive data.
Two recent incidents that illustrate the danger
The source lays out two concrete episodes. In November 2023, the Municipal Water Authority of Aliquippa in Pennsylvania was targeted by the Iranian-linked hacktivist group Cyber Av3ngers. Attackers exploited programmable logic controllers (PLCs) guarded by the default credential "1111" and gained control of a remote booster station serving two townships. While that incident did not threaten water supply, CISA issued alerts urging facilities to change default credentials on similar systems and to disconnect PLCs from the open internet.
In 2025 researchers found that McHire, McDonald’s AI-powered hiring platform operated by Paradox.ai, could be accessed via a weak legacy administrator account reportedly using "123456" as both username and password. Using those default credentials, researchers reached a test environment and could view chat interactions linked to more than 64 million job applications. Paradox.ai responded to the responsible disclosure by resolving the vulnerability and updating its security policies.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Replace shared temporary credentials with controlled enrollment flows where possible; verify identities before allowing password creation; and ensure onboarding workflows enforce password policies rather than rely on a hoped-for follow-up reset.
- Procurement and affected enterprises: When evaluating identity and onboarding solutions, consider options that remove the need to distribute first-day passwords and that provide centralized lifecycle management — the source specifically points to tools such as Specops First Day Password and Specops uReset as implementations of this approach.
- End users and the general public: Be aware that a password intended only for initial setup can become a long-term vulnerability if it is not changed; using self-service, policy-enforced enrollment reduces the chance that a weak default remains active.
Passwords remain central to onboarding even as passkeys and passwordless options gain traction; the source explicitly states that "passwords aren't disappearing any time soon." The practical takeaway is narrow and actionable: eliminate or reduce the distribution of first-day credentials, verify identity before password creation, and enforce policy from the outset. Those steps convert a routine convenience into a manageable security posture — and in cases like Aliquippa and McHire, they can be the difference between a contained incident and mass exposure.
https://thehackernews.com/2026/06/the-onboarding-password-mistake-that.html
