McDonald’s AI Hiring Bot Exposes 64M Job Seekers: Data Breach Highlights AI Security Risk

13th July 2025, Kathmandu

A significant data breach involving McDonald’s AI-powered hiring platform, McHire, has exposed the personal information of an estimated 64 million job applicants.

McDonald’s AI Hiring Bot Exposes

The incident, which underscores critical vulnerabilities in third-party AI systems, allowed security researchers to access sensitive records due to remarkably weak administrator credentials on systems operated by Paradox.ai, the AI software company behind McDonald’s recruitment chatbot, “Olivia.”

Security researchers Ian Carroll and Sam Curry discovered they could gain administrator-level access to the McHire backend simply by guessing credentials, including a default account where both the username and password were set to “123456.” This glaring security lapse granted them unauthorized access to a vast trove of applicant data, including names, email addresses, phone numbers, and IP addresses.

Carroll, who began investigating Paradox.ai due to concerns about its chatbot’s performance, described the experience as “uniquely dystopian.” The researchers quickly identified an internal login link for Paradox.ai staff on the McHire website.

Their successful login with basic, easily guessable credentials led them to an insecure direct object reference (IDOR) vulnerability. By simply modifying applicant ID numbers, they could view full chat transcripts, session tokens, and sensitive personal data of millions of other applicants without authorization.

“In about 30 minutes, we had access to nearly every McDonald’s job application going back years,” Carroll stated.

The compromised system, McHire, is utilized by approximately 90% of McDonald’s franchisees and relies on Paradox.ai’s chatbot, Olivia, to manage applications and conduct initial interviews. The platform collects extensive personal details, including home addresses, availability, and personality assessment results.

The researchers promptly reported their findings to Paradox.ai and McDonald’s on June 30. Both companies responded swiftly. McDonald’s acknowledged the issue within an hour, and Paradox.ai immediately disabled the default credentials, preventing further unauthorized access.

Paradox.ai Confirms Breach, Attributes to Dormant Test Account

In a public statement, Paradox.ai confirmed the incident, asserting that the compromised account was a “dormant test account” not accessed since 2019 and “should have been decommissioned.” The company emphasized that only the security researchers accessed this account and no malicious actors were involved. Paradox.ai also clarified that while the vulnerability could have affected other clients, only McDonald’s data was impacted in this specific incident.

McDonald’s Points to Vendor Responsibility

McDonald’s released a statement expressing disappointment in its third-party provider: “We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we required immediate remediation, which was completed the same day. We take cybersecurity seriously and will continue to hold our third-party providers to our standards for data protection.”

The potential risks of such a breach are significant. Experts warn that fraudsters could use exposed data to impersonate recruiters, leading to sophisticated phishing scams or even payroll fraud by requesting banking information from unsuspecting job seekers. “The phishing risk would have been massive,” noted Sam Curry.

Paradox.ai Implements New Security Measures

In response to the incident, Paradox.ai has moved to bolster its security protocols. New measures include stricter password policies, patching of vulnerable API endpoints, and the launch of a bug bounty program to encourage external security research. The company has also established a dedicated security contact channel to improve communication and response to future findings.

Stephanie King, Paradox.ai’s Chief Legal Officer, took full responsibility for the issue, stating, “Our clients and their candidates trust us, and we are committed to maintaining that trust.” Paradox.ai continues to provide its AI-powered recruitment solutions to various organizations, facilitating candidate screening, scheduling, and engagement.

This incident serves as a crucial reminder for all organizations to rigorously vet the security practices of third-party vendors, especially those handling sensitive personal data via AI platforms.

For more: McDonald’s AI Hiring Bot Exposes