The breach was uncovered in late June 2025 when Carroll and Curry, prompted by Reddit complaints about Olivia’s “nonsensical answers,” investigated the McHire platform. They found a login link for Paradox.ai staff and gained administrator access using the default credentials “123456” for both username and password. Additionally, an IDOR flaw in an internal API allowed them to retrieve applicant data by simply manipulating a parameter value, exposing sensitive details like contact information and job preferences. This vulnerability affected 90% of McDonald’s global franchises using McHire, highlighting a severe lapse in third-party vendor security.
The exposed data, affecting 64 million applicants, poses significant risks, particularly for phishing and social engineering attacks. Cybercriminals could exploit the data to impersonate McDonald’s recruiters, targeting job seekers with fraudulent schemes like payroll scams. While Social Security numbers were not compromised, the breach included resumes, shift preferences, and personality test results, which could fuel highly targeted attacks. The incident underscores the dangers of weak security in AI-driven systems and the potential for third-party vulnerabilities to compromise large-scale operations.
McDonald’s and Paradox.ai acted swiftly after the researchers’ disclosure on June 30, 2025, resolving the vulnerabilities by July 1. The default credentials were disabled, and the API flaw was patched. Paradox.ai acknowledged the issue, noting the compromised test account was a dormant 2019 relic that should have been decommissioned. They also announced plans for a bug bounty program to prevent future issues. McDonald’s expressed disappointment in Paradox.ai, emphasizing their commitment to cybersecurity and ongoing vendor accountability. There’s no evidence that malicious actors exploited the flaw before it was fixed.
The McDonald’s breach serves as a stark reminder of the risks associated with deploying AI technologies without robust security measures. The use of a weak password like “123456” and failure to implement multi-factor authentication (MFA) highlight basic oversights that can undermine even advanced systems. Organizations must prioritize vendor audits, enforce strong password policies, and conduct regular security reviews to protect sensitive data. This incident, combined with McDonald’s previous breaches in 2021 and alleged incidents in 2022 and 2024, underscores the need for continuous vigilance in an increasingly digital landscape.
SOURCE: https://cybersecuritynews.com/mcdonalds-ai-hiring-bot-leaks