During onboarding, IT teams send first-day passwords through email, text or phone calls so new hires can start work. Attackers can use those messages, stale default credentials and weak test accounts to reach systems that hold employee, applicant or operational data.
IT teams create risk on the first day of employment when they send starter passwords through email, text messages or phone calls and fail to force a reset before the account receives business access.
New hires need laptops and access at a fixed time. Help desk staff need to clear tickets. Managers need workers productive by lunch. Teams respond with shared starter passwords, predictable patterns and credentials that pass through inboxes before the employee joins the company.
Attackers like that window because the target has little context. A new employee may not know the reset portal, the help desk number or the signs of a credential phishing attempt. A forwarded email or intercepted text can give an attacker the same first login path the employee receives.
Security teams can remove the starter password from the workflow. Products such as Specops uReset and its First Day Password feature let a user verify identity through a personal email address or mobile number, then create a password that meets the company policy before the account sees work data.
In that design, IT staff keep control of the process. The help desk stops reading passwords over the phone or sending them through channels the company cannot control. The user creates one secret, and the identity system rejects banned, weak or breached choices at creation.
Attackers have abused weak setup credentials outside office onboarding. In November 2023, the Iranian-linked Cyber Av3ngers group hit the Municipal Water Authority of Aliquippa in Pennsylvania after attackers found Unitronics programmable logic controllers where operators had left the default password 1111. The controller operated a remote booster station serving two townships.
Operators kept water service running, but federal agencies used the incident as a warning for operational technology teams. CISA and partner agencies told water and wastewater operators to change default passwords, require multifactor authentication for remote access and remove exposed PLCs from the public internet.
Security teams should use the same logic for identity systems. Your team creates exposure when it lets a deployment password, test password or first-day password survive after setup. Each shared credential needs an expiration point, an owner and audit coverage.
The McHire case shows the same pattern in a hiring system. In 2025, researchers Ian Carroll and Sam Curry found they could reach a Paradox.ai administrator account tied to McDonald’s McHire platform with 123456 as both the username and password, according to Wired. The platform handled applicant conversations for McDonald’s franchise hiring.
The researchers used the access to reach a test restaurant environment, then found an insecure direct object reference bug that let them view applicant chat records. Wired reported a data set of 64 million records with names, email addresses and phone numbers. Paradox.ai fixed the flaws after disclosure and said staff should have decommissioned the test account.
Security teams should start with account lifecycle work. Treat onboarding credentials as production risk from the first minute. Require each user to create a password through an identity-verified flow. Block passwords that appear in breach data. Enforce multifactor authentication before the account reaches email, HR systems or administrative portals.
Security teams need cleanup checks. You should search for accounts that retain default names, shared service desk patterns or onboarding formats. Review test tenants and demo environments that connect to production data. Disable accounts with no owner, no login history or no business purpose.
For managers, the practical change looks small. Stop asking IT to send passwords to new hires through personal inboxes, group chats or managers. Give employees a reset link, an identity check and a password policy that blocks weak choices before the first login.
Passwords will remain part of onboarding for organizations that run Active Directory, HR platforms and legacy business systems. You reduce risk when you remove shared starter secrets and force each account to prove ownership before it reaches company data.
Comments
Please log in or register to join the discussion