A staggering 269,552 websites were infected with the JSFireTruck JavaScript malware between March...
In July 2025, McDonald’s faced a significant data breach involving its AI-powered hiring platform, McHire, developed by Paradox.ai. Security researchers Ian Carroll and Sam Curry discovered critical vulnerabilities that exposed the personal information of approximately 64 million job applicants. The breach stemmed from shockingly basic security flaws, including a default admin password of “123456” and an insecure direct object reference (IDOR) in an internal API, allowing unauthorized access to sensitive data such as names, email addresses, phone numbers, resumes, and chat transcripts with the AI chatbot “Olivia.”
How the Breach Occurred
The breach was uncovered in late June 2025 when Carroll and Curry, prompted by Reddit complaints about Olivia’s “nonsensical answers,” investigated the McHire platform. They found a login link for Paradox.ai staff and gained administrator access using the default credentials “123456” for both username and password. Additionally, an IDOR flaw in an internal API allowed them to retrieve applicant data by simply manipulating a parameter value, exposing sensitive details like contact information and job preferences. This vulnerability affected 90% of McDonald’s global franchises using McHire, highlighting a severe lapse in third-party vendor security.
Impact and Risks of the Breach
The exposed data, affecting 64 million applicants, poses significant risks, particularly for phishing and social engineering attacks. Cybercriminals could exploit the data to impersonate McDonald’s recruiters, targeting job seekers with fraudulent schemes like payroll scams. While Social Security numbers were not compromised, the breach included resumes, shift preferences, and personality test results, which could fuel highly targeted attacks. The incident underscores the dangers of weak security in AI-driven systems and the potential for third-party vulnerabilities to compromise large-scale operations.
Response and Remediation Efforts
McDonald’s and Paradox.ai acted swiftly after the researchers’ disclosure on June 30, 2025, resolving the vulnerabilities by July 1. The default credentials were disabled, and the API flaw was patched. Paradox.ai acknowledged the issue, noting the compromised test account was a dormant 2019 relic that should have been decommissioned. They also announced plans for a bug bounty program to prevent future issues. McDonald’s expressed disappointment in Paradox.ai, emphasizing their commitment to cybersecurity and ongoing vendor accountability. There’s no evidence that malicious actors exploited the flaw before it was fixed.
Lessons for Cybersecurity in AI-Driven Systems
The McDonald’s breach serves as a stark reminder of the risks associated with deploying AI technologies without robust security measures. The use of a weak password like “123456” and failure to implement multi-factor authentication (MFA) highlight basic oversights that can undermine even advanced systems. Organizations must prioritize vendor audits, enforce strong password policies, and conduct regular security reviews to protect sensitive data. This incident, combined with McDonald’s previous breaches in 2021 and alleged incidents in 2022 and 2024, underscores the need for continuous vigilance in an increasingly digital landscape.
SOURCE: https://cybersecuritynews.com/mcdonalds-ai-hiring-bot-leaks
