McDonald’s AI recruiting platform had a really embarrassing security flaw – and it left millions of users open to attack


- McDonald’s recently introduced a new hiring platform called McHire
- It uses an AI-powered chatbot that collects resumes, CVs, and contact data
- Researchers managed to easily log into the backend and obtain all of the data stored by the AI
A third-party supply chain vulnerability exposed sensitive data on 64 million people who applied to work with McDonald’s, experts have claimed.
The company recently introduced a new AI-powered hiring platform, courtesy of partners Paradox.ai. Called McHire, it featured Olivia, an AI-powered chatbot that screens applicants, gathers their contact information, CVs and resumes, and makes them do a personality test.
The dedicated website, McHire.com, had a login link, which two security researchers – Ian Carroll and Sam Curry – used to log into the backend. They tried guessing the password, and after a first failed attempt (going with “admin” for both username and password fields), they succeeded on the second one – using “123456” in both fields.
Plugging the hole
Although it might come as a shock to some, Carroll told Wired easy-to-guess passwords such as this one are “more common than you’d think.”
Indeed, over the years, there were countless reports from security experts, warning about the use of passwords such as “password”, “iloveyou”, “123456”, “qwerty”, and similar.
Reaching the backend, they accessed all the data harvested by the platform, including personally identifiable information shared in CVs and resumes: names, email addresses, and phone numbers. In total, 64 million records were exposed.
While stealing names, emails, and phone numbers might not sound like much, cybercriminals can use it to create highly convincing phishing attacks, especially knowing that the victims applied for a job at McDonald’s at some point.
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
This can lead to more destructive malware and ransomware attacks, identity theft, and even wire fraud.
As soon as the discovery was made, Paradox was notified and quickly plugged the hole. The company told Wired that “only a fraction of the records” the researchers accessed contained personal information, and that the hole was not previously spotted by anyone else.
You might also like
McDonald’s recently introduced a new hiring platform called McHire It uses an AI-powered chatbot that collects resumes, CVs, and contact data Researchers managed to easily log into the backend and obtain all of the data stored by the AI A third-party supply chain vulnerability exposed sensitive data on 64 million…
Recent Posts
- Qantas confirms 5.7 million customers impacted by data breach
- Conspiracy theorists are blaming flash floods on cloud seeding — it has to stop
- A Republican state attorney general is formally investigating why AI chatbots don’t like Donald Trump
- NYT Wordle today — answer and my hints for game #1483, Friday, July 11
- Not Just Any Prime Day Deals, 279 Obsessively Tested Picks—Even $1,200 Off an OLED TV
Archives
- July 2025
- June 2025
- May 2025
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022