Blog 21 – Password 123456? Seriously?

 It’s 2025. Why Are We Still Getting Breached by Bad Habits?

McFail: When Password123 Meets AI Hiring

McDonald’s just served up a cybersecurity embarrassment so avoidable, it should come with a warning label and a side of shame. Their AI-powered hiring assistant, affectionately known as “Olivia,” left the digital backdoor wide open by securing sensitive data with one of the most laughable passwords in existence: 123456.

That’s not a password. That’s a punchline. The kind of password you’d expect from someone who still writes them on sticky notes and hides them under the keyboard like it’s 2003.

The result? Over 64 million records exposed. That includes job applicant names, emails, and full chat transcripts. All of it left simmering on the public internet like an abandoned tray of fries forgotten under a heat lamp.

And here’s the kicker. This wasn’t a sophisticated cyberattack. No zero-day exploit. No nation-state hackers writing custom malware in candlelit bunkers. This was a total own goal, a digital faceplant so basic it makes you wonder if anyone was even pretending to care about security.

It is a stark reminder that even the biggest, wealthiest companies on the planet can still get tripped up by the most basic cybersecurity failures. AI is revolutionising industries, automating workflows, transforming hiring processes. But if you skip the fundamentals, it all falls apart. The shiny chatbot becomes just another leak waiting to happen.

And let’s not pretend this is just McDonald’s problem. This is a mirror. One that reflects just how many businesses are still sleepwalking through cybersecurity while trying to sprint toward digital transformation. It is 2025. We are building autonomous drones and decoding DNA with machine learning. But apparently, asking “Hey, is 123456 still our admin password?” is too much to ask.

Smart Bots, Dumb Security

We live in an age where artificial intelligence can create realistic deepfakes, write half-decent novels, and imitate your voice well enough to fool your mum. AI can automate your entire hiring process, answer job candidates in real time, and score CVs faster than a recruiter on double espresso. But when it comes to security? Apparently, it still needs to be spoon-fed the basics.

Let’s be honest. 123456 is not a password. It is a glowing red “Hack me” sign. It is a neon-lit entrance to your data with free Wi-Fi and valet parking. It is what you choose when you want to tick the password box and get on with your day. Which is fine, until it is your customers’ personal data on the line.

This is what happens when we glue AI onto old systems and call it innovation. When we chase automation without building in accountability. When we get so distracted by the sleek interface and shiny new tool that we forget the login credentials guarding it are straight out of a 1990s IT helpdesk horror story.

Innovation without basic security hygiene is not progress. It is a ticking time bomb. A sleek chatbot running on a rotten foundation. You can polish the UX all you like, but if the back end is a mess, all you have is a more elegant way to fail.

In my view, this isn’t a technology problem. It is a leadership problem. Somewhere between the AI roadmap and the launch party, someone decided that Olivia could automate the hiring process but didn’t stop to ask, “What kind of password are we securing with?”

And now the whole world knows the answer.

2025 Called. It Wants Better Passwords

Let’s take a step back and think. If your organisation is still using passwords like 123456, admin, or password123, you’re not just vulnerable. You’re practically hosting an open house for cybercriminals, complete with snacks and a guided tour.

Why does this still happen?

• Because convenience keeps beating security.
• Because changing the default feels like work.
• Because someone always says, “We’ll fix it later.”
• Because security is still seen as someone else’s job.

But later has arrived. And it brought a breach, a brand crisis, and a heap of regulatory headaches.

We are not talking about advanced persistent threats here. This isn’t elite-level hacking. This is Password 101. This is the first slide of the first cybersecurity awareness session. The kind you skimmed through while replying to emails and never really thought applied to you.

The truth? Many businesses today spend more on coffee machines than they do on access control. They invest in AI tools and automation platforms and then secure them with the digital equivalent of leaving your keys in the ignition.

Cybersecurity is not magic. It’s not some obscure technical art form. Most breaches today are not caused by sophisticated hackers. They are caused by gaps so obvious they shouldn’t exist in the first place.

And this one? This is as basic as it gets.

Could This be your Business?

Let’s stop treating this like a McDonald’s problem and start seeing it for what it really is, a mirror held up to every business still hoping good intentions will pass for good security.

Because if a global juggernaut with deep IT pockets and a brand to protect can still let “123456” guard millions of records, then what’s hiding in your own stack?

Let’s look closer to home:

• Do you know how many active accounts in your system still use default passwords?
• Have any of your third-party vendors embedded hardcoded secrets in their integrations?
• Are there shared logins floating around because “it was just easier that way”?
• Has anyone actually reviewed your privileged access lists this quarter? Or this year?
• Is someone still using that test environment you spun up in 2021, the one with zero monitoring and a password that was meant to be temporary?

This is where breaches are born. Not from some shadowy threat actor in a basement, but from convenience. From assumptions. From systems that were “set and forget” but never properly locked down.

Remember cyber criminals look for easy targets. They will try the basic things first, e.g.log in using the password someone forgot to change. It’s basic operational hygiene. In 2025, weak credentials are like storing your spare key under the doormat and being shocked when someone uses it.

And while you are checking your own systems, remember to check who you are connected to.

• Your third-party SaaS vendors.
• Your outsourced IT providers.
• Your cloud hosting partners.
• Your data processors and API integrations.

You are only as secure as the weakest link in that entire chain. And right now, somewhere in that ecosystem, someone is still using a password that looks like a bad punchline.

You don’t need a sophisticated exploit to lose everything. You just need to leave the back door open long enough for someone to notice.

So yes, this could absolutely happen to you. And if your security playbook still “we’ll get to that later,” then it is truly not a matter of if you have a cyberattack, but when you have a cyberattack.

Better Passwords, Please

Secure passwords are not rocket science. You do not need a PhD in cybersecurity to do this right. What you do need is a change in mindset.

“Password123” is easy. But so is doing better.

Here’s is my advice.

1. Ditch the password. Use a passphrase. A passphrase is a short sentence that’s easy for you to remember but hard for others to guess. Think: PurpleGoatsDanceAtMidnight or MyCoffeeNeeds2Sugars. It’s longer. It’s stronger. And no, “LetMeIn123” doesn’t count.

2. Mix in unpredictability. Do not recycle the same password across platforms. Your Amazon login should not be your corporate admin password. Use different passphrases for different systems. If that sounds too hard, then...

3. Use a password manager. You don’t need to memorise 42 unique passphrases. Let the tool do the work. It’s like hiring a digital bouncer for your logins, no one gets in unless they’re on the list.

4. Turn on Multi-Factor Authentication (MFA). Everywhere. Always. No exceptions. If your platform doesn’t support MFA, the problem isn’t your password. The problem is the platform.

5. Kill legacy accounts. That test environment you built in 2021 with “admin123” still works. That’s not nostalgic. That’s negligent. Hunt them down. Shut them down.

6. Train like you mean it. Password awareness training shouldn’t be a once-a-year snoozefest. Build a culture where bad passwords are as unacceptable as bad coffee. Make strong credentials a shared value, not just an IT policy.

Boardroom Takeaways: Fix It Before You’re Next

Let’s get one thing straight in my view this isn’t a technology issue, it’s a leadership one. AI might be writing code, scoring resumes, and booking interviews, but it’s the humans at the top who are responsible when the whole system face plants.

So, if you’re sitting in the boardroom wondering if this could happen to you, stop wondering and start asking:

1.     What’s our policy on default and weak passwords? If your policy isn’t “destroy them with fire,” you’re already playing catch-up. It should be enforced, audited, and drilled into every onboarding doc like it's gospel.

2.     Where are the AI and automation platforms in our attack surface? Just because it sounds futuristic doesn’t mean it’s bulletproof. AI platforms are still software. They have logins, APIs, storage locations, and secrets. If you haven’t threat-modelled them yet, consider this your wake-up ping.

3.     How are we testing third-party resilience? Your chatbot vendor, your payroll system, your marketing AI, if they can’t explain their password policies, access controls, or breach notification plan in under two minutes, then you probably shouldn’t trust them with customer data.

4.     Are we actually simulating these scenarios? It’s one thing to run phishing drills. Good job. Now simulate this: “What if our AI hiring tool leaks 64 million records because someone used password123?” What happens next? Who talks to the media? Who patches the hole? Who explains it to regulators and shareholders?

If any of this sounds like your business, please fix it now,  before someone else finds your own version of Olivia quietly leaking data behind the scenes.

Final Byte: Cybersecurity = Basic Hygiene + Accountability

There is nothing new here. No surprise twist. No groundbreaking lesson.

We already knew that passwords like 123456 should not exist in any serious business. But here we are. In 2025. Still talking about them. Still watching billion-dollar brands fall over the same banana peel we’ve been warning about for twenty years.

If your systems are still being protected by passwords that belong on a “worst of” list from 1998, then you do not have a cybersecurity strategy. You have a to-do list that no one ever got around to completing.

It is not the fault of the AI. It is not the fault of hackers. It is not the fault of complexity or budget constraints or legacy systems. I believe it is a failure of leadership. A failure to prioritise. A failure to fix the obvious before chasing the advanced.

Because the next breach will not be because AI went rogue. It will be because someone didn’t ask the basic question.

What password are we using?

Smart tech requires smarter habits. And those habits start at the top.

Dr Glenn, logging off.

(Still watching. Still warning. Still wondering why we’re getting hacked by the same mistakes we made two decades ago.)