McDonald’s AI Hiring Bot Exposed with ‘123456’ Password — Millions of Job Seekers’ Data at Risk
A shocking security vulnerability in McDonald’s AI-powered hiring system has exposed the personal information of millions of job applicants, after security researchers discovered they could access the entire database using the laughably weak password “123456.”
The breach affects McHire.com, McDonald’s primary recruitment platform used by franchisees nationwide, where an AI chatbot named “Olivia” screens potential employees.
Security researchers Ian Carroll and Sam Curry revealed Wednesday that they gained administrator access to the system operated by artificial intelligence firm Paradox.ai through elementary hacking techniques that took just 30 minutes to execute.
Massive Data Exposure
The vulnerability exposed approximately 64 million records containing applicants’ names, email addresses, phone numbers, and complete chat histories with the AI recruiter.
Carroll and Curry accessed the system after trying common login credentials, with the username and password combination “123456” providing immediate entry to Paradox.ai’s backend infrastructure.
“I just thought it was pretty uniquely dystopian compared to a normal hiring process,” Carroll explained, describing his initial motivation to investigate the system. “After 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years.”
The researchers discovered a second critical flaw that allowed them to browse through applicant records by simply changing ID numbers in the system.
When they tested random applicant IDs from the 64-million-plus database, all returned genuine personal information from real job seekers.
Paradox.ai acknowledged the security failure in a planned blog post, with Chief Legal Officer Stephanie King stating, “We do not take this matter lightly, even though it was resolved swiftly and effectively. We own this.”
The company confirmed that only the researchers accessed the compromised account and announced plans for a bug bounty program to identify future vulnerabilities.
McDonald’s expressed disappointment with their third-party provider, stating they “mandated Paradox.ai to remediate the issue immediately” and emphasized their commitment to holding vendors accountable for data protection standards.
The exposed data poses substantial risks to affected applicants, particularly in the context of targeted phishing attacks.
Curry noted that fraudsters could exploit the information to impersonate McDonald’s recruiters and request financial details for fake direct deposit setups.
The incident highlights growing concerns about the security of AI-powered recruitment systems, particularly when handling sensitive personal data from job seekers who may be in financially vulnerable positions.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
Source link