×
McDonald’s AI hiring chatbot exposed 64M job applicants’ personal data
Written by
Published on
Join our daily newsletter for breaking news, product launches and deals, research breakdowns, and other industry-leading AI coverage
Join Now

McDonald’s AI hiring chatbot exposed the personal data of millions of job applicants due to laughably weak security measures, including a password set to “123456.” Security researchers Ian Carroll and Sam Curry discovered they could access up to 64 million applicant records through the McHire platform built by Paradox.ai, a software company that creates AI-powered hiring tools, potentially exposing names, email addresses, and phone numbers of people who applied for McDonald’s jobs over several years.

What you should know: The security breach occurred through basic vulnerabilities that should never exist in enterprise systems handling sensitive data.

  • Researchers gained administrator access to Paradox.ai’s backend systems by simply guessing common login credentials, with “123456” as both username and password working on their second attempt.
  • The compromised account had no multifactor authentication and “had not been logged into since 2019 and frankly, should have been decommissioned,” according to Paradox.ai.
  • Once inside, researchers could access any applicant’s chat logs and contact information by manipulating ID numbers in the system.

The scope of exposure: The vulnerable database contained records spanning years of McDonald’s job applications through the AI-powered McHire system.

  • Researchers identified over 64 million applicant ID numbers, though Paradox.ai says only a fraction contained personal information.
  • The exposed data included applicants’ names, email addresses, phone numbers, and complete chat histories with the Olivia AI chatbot.
  • Two applicants contacted by WIRED confirmed they had applied for McDonald’s jobs on the dates specified in their exposed records.

Why this matters: The breach creates significant risks for vulnerable job seekers who could be targeted by sophisticated phishing scams.

  • Fraudsters could impersonate McDonald’s recruiters and request financial information for fake direct deposit setups, exploiting applicants’ eagerness for employment.
  • “If you wanted to do some sort of payroll scam, this is a good approach,” Curry explained, noting the heightened vulnerability of people actively seeking employment.
  • The exposure also carries potential embarrassment for applicants whose job-seeking attempts at minimum-wage positions were made visible.

How the discovery happened: Carroll initially investigated the system after seeing Reddit complaints about the AI chatbot’s poor performance with job applicants.

  • “I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that’s what made me want to look into it more,” Carroll said.
  • After testing unsuccessfully for AI prompt injection vulnerabilities, the researchers noticed a Paradox.ai staff login link and decided to try common credentials.
  • “So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years,” Carroll explained.

What they’re saying: Both companies acknowledged the severity of the breach and took responsibility for the failures.

  • “We do not take this matter lightly, even though it was resolved swiftly and effectively,” said Stephanie King, Paradox.ai’s chief legal officer. “We own this.”
  • McDonald’s expressed disappointment with their vendor: “We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai.”
  • The companies confirmed that Paradox.ai verified the compromised account “was not accessed by any third party” other than the security researchers.

The bigger picture: This incident highlights the risks of deploying AI systems without proper security foundations, especially when handling sensitive personal data.

  • Paradox.ai announced it’s implementing a bug bounty program to better identify security vulnerabilities in the future.
  • The breach was resolved on the same day it was reported to McDonald’s, according to the company’s statement.
  • Carroll noted his respect for McDonald’s workers despite the security issues: “I have nothing but respect for McDonald’s workers. I go to McDonald’s all the time.”
McDonald’s AI Hiring Bot Exposed Millions of Applicants’ Data to Hackers Who Tried the Password ‘123456’

Recent News

OpenAI plans to launch web browser with AI agent to challenge Chrome

ChatGPT's 400 million users provide a ready audience for the browser migration.

AI shopping platforms eye e-commerce with seamless checkout and fulfillment

Success hinges on matching Amazon's fulfillment prowess with Apple Pay's checkout simplicity.