Security researchers Ian Carroll and Sam Curry have uncovered a major vulnerability affecting McDonald’s job application system, exposing the personal data of approximately 64 million applicants.
In a blog post detailing their findings, the duo revealed that they were able to gain access to McDonald’s AI-powered hiring chatbot, McHire—developed by Paradox.ai—using shockingly weak credentials: the username and password “123456.” Within just a few hours of exploration, they also identified a second flaw in an internal API that granted access to applicants’ chat histories with the bot.
Through these vulnerabilities, the researchers were able to view sensitive personal information such as names, email addresses, home addresses, and phone numbers of job seekers who had used McHire to apply for positions.
Paradox.ai responded swiftly after being alerted to the issue, stating in a follow-up blog post that the problems were resolved “within a few hours” and that there was “no evidence of candidate information being leaked online or exposed to the public.”
The discovery raises serious concerns about the security standards behind enterprise AI tools—especially those handling personal or confidential data. While Paradox.ai acted quickly to contain the issue, the incident highlights how easily preventable security oversights—like weak default credentials—can put millions at risk.
The breach was first reported by Wired and adds to a growing conversation around the trust, transparency, and responsibility tech providers must uphold when automating key HR functions such as hiring.
As AI continues to reshape how companies recruit talent, robust cybersecurity practices must go hand in hand with innovation—especially when dealing with real people’s lives and livelihoods.
About the Author
