· privacy  · 2 min read

McDonald's AI Hiring Bot Leaks 64M Applicant Data

A major security flaw in McDonald's AI hiring system, McHire, exposed personal data of 64 million job applicants due to a weak password. McDonald's AI Hiring Bot Leaks 64M Applicant Data

A severe security vulnerability in McDonald’s AI-powered hiring system, McHire, has exposed the personal information of potentially 64 million job applicants to unauthorized access. The breach, attributed to elementary security flaws including a password as simple as “123456”, highlights critical cybersecurity failures in AI-driven recruitment systems.

Security researchers Ian Carroll and Sam Curry uncovered the glaring vulnerability in the McHire platform, built by artificial intelligence software firm Paradox.ai. In a mere 30 minutes, they gained administrator access by successfully guessing the username and the incredibly weak password “123456”. Crucially, the compromised account lacked multi-factor authentication, a basic security measure that could have prevented the unauthorized entry.

AI Hiring Bot Exposes Sensitive Data

McDonald’s McHire platform uses an AI chatbot named “Olivia” to streamline recruitment for franchise locations, handling initial screenings, collecting contact information, résumés, and directing personality assessments. The system’s backend, developed by Paradox.ai, stored extensive chat logs and personal information from millions of interactions.

The researchers’ investigation initially focused on prompt injection vulnerabilities, but a pivot to authentication mechanisms quickly revealed the Achilles’ heel. Once inside the system, an Insecure Direct Object Reference (IDOR) vulnerability allowed them to enumerate through applicant ID numbers, accessing names, email addresses, phone numbers, and chat histories of millions of individuals. This meant full database traversal was possible, exposing years of sensitive data.

Company Response and Future Steps

While Paradox.ai claims only a fraction of the exposed 64 million records contained sensitive data, the risk of targeted phishing and payroll fraud for affected individuals is significant.

Both McDonald’s and Paradox.ai have acknowledged the breach. McDonald’s expressed disappointment in its third-party provider’s security lapses. Paradox.ai’s Chief Legal Officer, Stephanie King, confirmed the findings and stated that the compromised test account, dormant since 2019, should have been decommissioned. The company has since fixed the vulnerability and announced the launch of a bug bounty program to proactively identify future security weaknesses. This incident underscores the urgent need for robust security protocols and vigilant oversight in the rapidly evolving landscape of AI-driven HR technologies.

Newsletter Signup

News Feed

Get the Hottest Cybersecurity News Delivered to You!

Share:
← Back to News

Related News

Discover more news articles that might interest you

Massive Browser Hijack: 2.3M Chrome & Edge Users Hit by Trojan Extensions

Massive Browser Hijack: 2.3M Chrome & Edge Users Hit by Trojan Extensions

EU’s Push to Ditch Microsoft: A Boost for Linux or a Risky Gamble?

EU’s Push to Ditch Microsoft: A Boost for Linux or a Risky Gamble?

Ubuntu 24.10 “Oracular Oriole” Reaches End of Life, Upgrade to Ubuntu 25.04 Now

Ubuntu 24.10 “Oracular Oriole” Reaches End of Life, Upgrade to Ubuntu 25.04 Now

KDE Plasma 6.3.6 Released: Stability & Fixes

KDE Plasma 6.3.6 Released: Stability & Fixes

APT36 Targets Indian Defense with BOSS Linux Malware

APT36 Targets Indian Defense with BOSS Linux Malware

CISA Urges Immediate Patch for PHPMailer Vulnerability

CISA Urges Immediate Patch for PHPMailer Vulnerability