Incident 1179: McDonald's McHire AI Recruitment Platform Reportedly Exposed Data of 64 Million Applicants via Default Login and API Vulnerability

Description: Researchers Ian Carroll and Sam Curry reported that McDonald's AI-powered hiring tool, McHire (using Paradox.ai's "Olivia" chatbot), could purportedly be accessed via default admin credentials and an insecure direct object reference in an internal API. The flaws allegedly allowed viewing of applicants' personally identifiable information and chat histories. McDonald's and Paradox reportedly patched the issues within a day of disclosure; Paradox stated only five records were accessed.

Editor Notes: The following URL leads to the Reddit thread that ultimately led to the reported discovery: https://www.reddit.com/r/mildlyinfuriating/comments/1lo9s75/mcdonalds_hiring_ai_is_making_me_go_insane/.

Tools

New Report New Response DiscoverView History

Entities

View all entities

Alleged: McDonald's , Paradox.ai , McHire and Paradox.ai's Olivia chatbot developed and deployed an AI system, which harmed McDonald's applicants.

Alleged implicated AI systems: McHire and Paradox.ai's Olivia chatbot

Incident Stats

Incident ID

1179

Report Count

Incident Date

2025-06-30

Editors

Daniel Atherton

Applied Taxonomies

MIT

MIT Taxonomy Classifications

Machine-Classified

Taxonomy Details

Risk Subdomain

2.1. Compromise of privacy by obtaining, leaking or correctly inferring sensitive information

Risk Domain

Privacy & Security

Entity

Human

Timing

Post-deployment

Intent

Unintentional

Incident Reports

Reports Timeline

McDonald’s AI hiring tool’s password ‘123456’ exposed data of 64M applicants

csoonline.com

McDonald’s AI Recruiter Data Breach Exposes 64 Million Job Applicant Records

gotrust.nl

csoonline.com · 2025

A security oversight in McDonald's AI-powered hiring platform "McHire" was found exposing sensitive applicant data belonging to as many as 64 million job seekers.

Discovered in late June 2025 by security researchers Ian Carroll and Sam Curr…

gotrust.nl · 2025

McDonald's is facing strong backlash after a shocking security lapse exposed sensitive data of nearly 64 million job applicants. The leak occurred because of a default admin password: "123456".

McDonald's is facing strong backlash after a s…

Variants

A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.

Seen something similar?

Similar Incidents

By textual similarity

Did our AI mess up? Flag the unrelated incidents

Bug in Facebook’s Anti-Spam Filter Allegedly Blocked Legitimate Posts about COVID-19

Similar Incidents

By textual similarity

Did our AI mess up? Flag the unrelated incidents

Incident 1179: McDonald's McHire AI Recruitment Platform Reportedly Exposed Data of 64 Million Applicants via Default Login and API Vulnerability

Tools

Entities

Incident Stats

MIT Taxonomy Classifications

Incident Reports

Reports Timeline

McDonald’s AI hiring tool’s password ‘123456’ exposed data of 64M applicants

McDonald’s AI Recruiter Data Breach Exposes 64 Million Job Applicant Records

McDonald’s AI hiring tool’s password ‘123456’ exposed data of 64M applicants

McDonald’s AI Recruiter Data Breach Exposes 64 Million Job Applicant Records

Variants

Similar Incidents

By textual similarity

Bug in Facebook’s Anti-Spam Filter Allegedly Blocked Legitimate Posts about COVID-19

Images of Black People Labeled as Gorillas

YouTube's AI Mistakenly Banned Chess Channel over Chess Language Misinterpretation

Similar Incidents

By textual similarity

Bug in Facebook’s Anti-Spam Filter Allegedly Blocked Legitimate Posts about COVID-19

Images of Black People Labeled as Gorillas

YouTube's AI Mistakenly Banned Chess Channel over Chess Language Misinterpretation