McDonalds serves up super size AI botch with a ‘McHire’ platform that allowed admin access to 64 million candidate chats with the username and password ‘123456’
Like many large corporations McDonalds now uses an AI hiring platform, McHire.com, to screen candidates for jobs. The process involves a chatbot called Olivia, built by AI firm Paradox.ai, which takes personal information from applicants, points them towards a personality test, and answers basic questions about the company (though sometimes it’s really bad at this).
Two security researchers, Ian Carroll and Sam Curry, have now revealed that until last week this platform suffered from some almost unbelievable security flaws (first reported on by Wired). Had these exploits been discovered by bad actors, they could have accessed the content of every chat Olivia ever had with McDonald’s applicants, including personal information.
Carroll and Curry found a range of serious and in some cases laughably simplistic security lapses on the backend of McHire.com, which is used by many though not all the company’s franchisees,. The pair managed to access a paradox.ai account and the databases containing every applicant’s chat logs, and the method really is mind-blowing: This ‘hack’ involved logging into an administrator account where the username and password were both “123456”.
The data that could have been accessed through this includes 64 million records, among which are names, email addresses, and phone numbers.
“I just thought [McHire] was pretty uniquely dystopian compared to a normal hiring process, right? And that’s what made me want to look into it more,” says Carroll, explaining why they decided to investigate the site.”So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years.”
After poking around with the chatbot itself, the researchers decided to try signing up as a franchisee, which is when they found a login link for Paradox.ai staff to access the site. Carroll tried two of the most common sets of login credentials: username and password “admin” and username and password “123456.” The second was the bingo.
This gave Carroll and Curry administrator access to a (nonexistent) McDonald’s test restaurant, from where they applied for a test job posting, viewed it, and then discovered the next vulnerability. Changing the applicant ID on their existing application let them see other chat logs and the information therein. They accessed seven accounts total, five of which contained personal information.
To be clear: no applicant data has been hacked or leaked, this particular vulnerability has now been fixed on the McHire platform, and Carroll and Curry should take a well-deserved bow (and get free Big Macs for life). But it just goes to show the incredibly dumb back doors that can exist in systems handling sensitive personal data, and how easily bad actors can exploit them.
A spokesperson for Paradox.ai confirmed the security researchers’ findings, adding that the “123456” account was not accessed by anyone else. “We do not take this matter lightly, even though it was resolved swiftly and effectively,” said Paradox.ai’s chief legal officer, Stephanie King. “We own this.”
Erm… yeah? McDonalds naturally took the easy way out and blamed Paradox.ai for the “unacceptable vulnerability,” emphasising that the issue “was resolved on the same day it was reported to us.”
Best gaming rigs 2025