McHire and the API identity gap teams are missing

TL;DR: McDonald’s McHire breach exposed a legacy admin account with default credentials, no MFA, and an unauthenticated API endpoint, leaving roughly 64 million records accessible, according to Defakto Security. The incident shows that API security fails when non-human identities are treated as internal by default, not when teams lack more AI or more tooling.

NHIMG editorial — based on content published by Defakto Security: McDonald's McHire breach and the case for non-human identity in API security

By the numbers:

• Roughly 64 million records were exposed.

Questions worth separating out

Q: How should security teams protect APIs that expose non-human identity risk?

A: Security teams should require authentication on every exposed API, eliminate anonymous access, and bind each call to a specific workload or service identity.

Q: Why do default credentials still create major breach risk?

A: Default credentials are still dangerous because they create a predictable standing privilege path that attackers can test immediately.

Q: What breaks when organisations treat APIs as internal by default?

A: When APIs are treated as internal by default, teams skip authentication, rely on network trust, and overlook how outside parties can reach the same interfaces.

Practitioner guidance

• Remove unauthenticated production endpoints Inventory externally reachable APIs and require authentication on every request path, including internal admin and partner interfaces that can be reached from the internet.
• Eliminate default administrative credentials Find legacy admin accounts, replace vendor or inherited defaults, and revoke any credentials that cannot be mapped to an accountable owner and current business use.
• Replace static secrets with workload identity Move API and service-to-service access toward cryptographic workload identity so access is based on verifiable identity rather than reusable shared secrets.

What's in the full article

Defakto Security's full article covers the operational detail this post intentionally leaves for the source:

• The specific McHire breach sequence, including the weak admin account and unauthenticated endpoint.
• The API security implications of applicant ID exposure and direct record retrieval.
• The vendor's explanation of why machine-facing identity needs a different control model than human access.
• The broader commentary on SPIFFE and non-human IAM for production systems.

👉 Read Defakto Security's analysis of the McHire API identity breach →

McHire and the API identity gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →