McDonald’s hiring platform exposes 64M job applications

Published: 10 July 2025
Last updated: 10 July 2025
McDonald's hiring platform data leak
Image by Cybernews.

McHire, McDonald’s hiring chatbot platform, was protected by a default “123456” password, allowing researchers to access the admin side and every chat interaction that has ever applied for a job at McDonald’s.

There’s a reason why the infosec community relentlessly preaches about password security. Case in point: McHire. Security researchers Ian Carroll and Sam Curry recently published a blog explaining how they accessed the fast food chains’ hiring platforms chatbot with inexcusable ease.

“During a cursory security review of a few hours, we identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted,” the researchers explained.

ADVERTISEMENT
Niamh Ancell BW Gintaras Radauskas Marcus Walsh profile Paulina Okunyte
Stay informed and get our latest stories on Google News
Google News Follow us

The pair focused their attention on McDonald’s AI hiring chatbot “Olivia,” after reading Reddit comments pointing to the chatbot giving users nonsensical answers. However, after trying to apply for a job at a local McDonald’s via the platform, Caroll and Curry noticed McHire’s admin website for restaurant owners.

Unexpectedly, after entering “123456” as the username and “123456” as the password, researchers were able to access the applications test area set up by McHire’s Ai chatbot creators, Paradox.ai.

“It turned out we had become the administrator of a test restaurant inside the McHire system. We could see all of the employees of the restaurant were simply employees of Paradox.ai, the company behind McHire,” researchers said.

Has my data been leaked?
Check Now

While inside the test restaurant, Caroll and Curry looked into the chatbots’ application programming interface (API), noticing that there was a numbered ID for each applicant. Behind the ID numbers revealed previous applicant data with personally identifiable information (PII). Based on the number of IDs, the duo deduced the platform had over 64 million applications.

In theory they could have accessed all applicants’ data, such as:

  • Name, email address, phone number, address
  • Candidacy state and every state change/form input the candidate had submitted (shifts they could work, etc)
  • Auth token to log into the consumer UI as that user, leaking their raw chat messages and presumably other information
ADVERTISEMENT

The researchers have disclosed the issue with Paradox.ai, with the company solving the problem the next day.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked