In a significant cybersecurity incident, McDonald’s AI-powered hiring platform, McHire, has been found to have exposed the personal information of millions of job applicants due to critical security vulnerabilities. The breach, uncovered by security researchers Ian Carroll and Sam Curry, highlights the growing risks associated with automated recruitment technologies and inadequate cybersecurity measures.
Details of the Breach
The McHire platform, widely used by McDonald’s franchisees to streamline the hiring process, utilizes an AI chatbot named “Olivia” to interact with job seekers. Researchers discovered that the administrative backend of the system was protected by extremely weak credentials—both the username and password were set to “123456.” Furthermore, the system lacked multi-factor authentication, making unauthorized access alarmingly easy.
Within just 30 minutes of investigation, the researchers were able to gain full administrative access, exposing a vast database of applicant information. Additional vulnerabilities allowed them to browse individual applicant records by simply altering ID numbers in the system’s URL.
Scope of the Data Exposure
The exposed data is believed to include up to 64 million records, containing:
- Full names
- Email addresses
- Phone numbers
- Résumés and employment histories
- Complete chat logs with the AI recruiter
This information, collected from applicants over several years, represents a significant privacy risk.
Corporate Response
Upon notification, McDonald’s and Paradox.ai, the developer of the McHire platform, responded promptly to remediate the vulnerabilities. The companies have stated that there is no evidence suggesting the data was accessed by malicious actors prior to the researchers’ discovery. Paradox.ai has committed to conducting comprehensive security reviews and launching a bug bounty program to enhance future protections.
