McDonald’s Hiring Chatbot Flaw Exposes 64 Million Applicant Records

A pair of independent security researchers, Sam Curry and Ian Carroll, say they were able to enter the back-end of McHire.com—used by more than 90% of McDonald’s franchises—by logging in with the default credentials “123456.” Their access revealed a second flaw that let them iterate through applicant IDs and view the personal data and chat logs of anyone who had interacted with the site’s AI hiring chatbot, Olivia. The researchers estimate the exposure covered as many as 64 million records containing names, email addresses and phone numbers of job seekers, some dating back years. Although only a handful of accounts were spot-checked to avoid privacy violations, the researchers contend the vulnerability could have enabled large-scale phishing or payroll fraud. Paradox.ai, the Arizona-based software firm that built the platform, confirmed the weaknesses and said the affected test account had been dormant since 2019. The company said no one other than the researchers accessed the data, added that the bugs were fixed the same day they were reported on 30 June, and announced plans for a bug-bounty program. McDonald’s called the lapse “unacceptable,” placed responsibility on its third-party vendor and said it will continue to hold suppliers to its data-protection standards. Neither McDonald’s nor Paradox.ai has disclosed how many applicants have been notified, but both companies say they are reviewing security controls to prevent a recurrence.