Back

mcdonalds.com Domain Breach Exposure Report

Risk Score

High Risk

Massive event volume or critical assets compromised.

AI Findings Summary

Critical

The telemetry indicates a significant exposure related to mcdonalds.com, with over 208,000 events logged between July 2025 and June 2026. A substantial portion of these events, approximately 66%, are historical data breaches, while the remaining 34% are active infostealer logs. The data suggests a broad impact, with over 155,000 client-related events and over 52,000 employee-related events. The most prevalent malware families are Redline, LummaC2, and Acreed, all known for credential theft. The targeted services are primarily Android mobile applications, with the `com.mcdonalds.mobileapp` being the most frequently targeted. The high volume of historical data breaches and active infostealer logs, coupled with the prevalence of credential-stealing malware, indicates a high-risk environment. The focus should be on immediate remediation of identified vulnerabilities, enhanced monitoring for credential compromise, and comprehensive security awareness training for employees and clients. Given the nature of the domain and the targeted services, prioritizing the security of customer and employee data is paramount.

Total Events

208,114
credential exposure events

Employee Affected Events

52,209
account email domain = mcdonalds.com

Client Affected Events

155,905
service target = mcdonalds.com

Free Community Account

Stop stolen credentials from logging in

Own this domain? Create a free Lunar account to see full exposure data and evidence.

12-Month Events Timeline

Event volume by breach date, employee VS client

EmployeesClients
40,00026,66713,3330
peak month 31,996
Jul 25Sep 25Nov 25Jan 26Mar 26May 26Jun 26

Infostealers VS Data Breaches

Live stealer logs VS data breaches

Infostealer logs
Events70,084
Share34%
Data breaches
Events138,030
Share66%
Infostealer logs (34%)
70,084events
Data breaches (66%)
138,030events

52,209 compromised employee accounts pose an infrastructure risk, while 155,905 leaked client credentials create regulatory liability.

Antivirus Distribution

Security Tools on Infected Endpoints

Windows Defender1,520
Malwarebytes32
Avast18
Windows Defender.9
Reason Cybersecurity8
Avast Norton8
Avast AVG5
Windows Defender Norton 3604
Kaspersky3

Malware Families Distribution

Distribution of Active Stealer Strains

Redline10,766
LummaC29,249
Acreed6,328
Rhadamanthys5,887
Vidar5,585
Remus1,606
StealC1,007
RisePro986
Millenium873

Top Login URLs

Top exposed services found in the event results

  1. 1android://L_HbA4LFvk_NXwpeyqC6qyjQFw3rdFnLiuBpOmaBWDbTatRx_vFlkpebkpLu6mziBDC9PyXia1YgDarsmmAdAg==@com.mcdonalds.mobileapp/82,794
  2. 2android://eyJyp9aG3bJsVCW98knWdoMqPbdlQcs611sCh8staTf1mj56OsimtaF87qG-6RN-Hy7ZYO1lXDQx__F317-gvg==@com.mcdonalds.android/7,029
  3. 3android://MZeABPXaFPFEKPXGUJTBLmHdjCyb1Y31LzCOGcbuCraAFPRweU8Uw5gxj31GD5a8rx-qmCj3W8I8SVPARUbVEA==@com.mcdonalds.superapp/5,680
  4. 4android://-y_dAGSdzHjONSZD3TAY0jBjEmY521QrDuO17Z8mPfsTE-9m4rihNF8YuElMHz0CMpcqZ1r4d2KRWkbsJADEYg==@com.mcdonalds.app/4,806
  5. 5android://l_hba4lfvk_nxwpeyqc6qyjqfw3rdfnliubpomabwdbtatrx_vflkpebkplu6mzibdc9pyxia1ygdarsmmadag==@com.mcdonalds.mobileapp/ :4,027
  6. 6android://L_HbA4LFvk_NXwpeyqC6qyjQFw3rdFnLiuBpOmaBWDbTatRx_vFlkpebkpLu6mziBDC9PyXia1gDarsmmAdAg==@com.mcdonalds.mobileapp/3,665
  7. 7android://-y_dAGSdzHjONSZD3TAY0jBjEmY521QrDuO17Z8mPfsTE-9m4rihNF8YuElMHz0CMpcqZ1r4d2KRWkbsJADEYg==@com.mcdonalds.au.gma/3,578
  8. 8android://-y_dAGSdzHjONSZD3TAY0jBjEmY521QrDuO17Z8mPfsTE-9m4rihNF8YuElMHz0CMpcqZ1r4d2KRWkbsJADEYg==@com.mcdonalds.gma.hongkong/3,186
  9. 9android://zQxb6hXv1MJiC1Yyotdhi8HP-y7fwPcOLwPOWTwWKpP2VXcbsuIiI4iJ1KV0Dz3LzVsUuKJmACRSUAxnsPB3FA==@com.mcdonalds.mobileapp/3,109
  10. 10android://-y_dAGSdzHjONSZD3TAY0jBjEmY521QrDuO17Z8mPfsTE-9m4rihNF8YuElMHz0CMpcqZ1r4d2KRWkbsJADEYg==@com.mcdonalds.app.uk/2,874

Infostealer By Geography

Shows the distribution of Infostealer-related credential exposure events across different geographic regions. The location is determined by analyzing the metadata of the infected machines associated with each event.

India
Events5,807
Italy
Events4,586
Philippines
Events3,356
Spain
Events2,830
United States
Events2,416
Canada
Events2,289
Poland
Events2,220
Egypt
Events1,980

Country Breakdown

  1. 1India5,807
  2. 2Italy4,586
  3. 3Philippines3,356
  4. 4Spain2,830
  5. 5United States2,416
  6. 6Canada2,289
  7. 7Poland2,220
  8. 8Egypt1,980

Services Classification Distribution

Blast radius - closer to core = more critical infrastructure, size = credential volume

Citrix36
Git16
FortiNet VPN13
Pulse Secure7
Cisco (AnyConnect)7

Operating System Distribution

Distribution of compromised endpoint builds

Windows 116,853
Windows 10 Enterprise x643,806
Windows 10 Home x642,482
Windows 10 Pro2,388
Windows 102,232

Leak Repository Classification

Where the exposed records currently reside

0
Named breaches
120,233
Combolist pools
17,797
Unattributed dumps

Disclaimer: This report includes AI-generated content. AI can make mistakes, so verify important findings independently before taking action.