Incident 1179: McDonald's McHire AI Recruitment Platform Reportedly Exposed Data of 64 Million Applicants via Default Login and API Vulnerability

Description: Researchers Ian Carroll and Sam Curry reported that McDonald's AI-powered hiring tool, McHire (using Paradox.ai's "Olivia" chatbot), could purportedly be accessed via default admin credentials and an insecure direct object reference in an internal API. The flaws allegedly allowed viewing of applicants' personally identifiable information and chat histories. McDonald's and Paradox reportedly patched the issues within a day of disclosure; Paradox stated only five records were accessed.
Editor Notes: The following URL leads to the Reddit thread that ultimately led to the reported discovery: https://www.reddit.com/r/mildlyinfuriating/comments/1lo9s75/mcdonalds_hiring_ai_is_making_me_go_insane/.

Tools

New ReportNew ReportNew ResponseNew ResponseDiscoverDiscoverView HistoryView History

Entities

View all entities
Alleged: McDonald's , Paradox.ai , McHire and Paradox.ai's Olivia chatbot developed and deployed an AI system, which harmed McDonald's applicants.
Alleged implicated AI systems: McHire and Paradox.ai's Olivia chatbot

Incident Stats

Incident ID
1179
Report Count
2
Incident Date
2025-06-30
Editors
Daniel Atherton
Loading...
McDonald’s AI hiring tool’s password ‘123456’ exposed data of 64M applicants
csoonline.com · 2025

A security oversight in McDonald's AI-powered hiring platform "McHire" was found exposing sensitive applicant data belonging to as many as 64 million job seekers.

Discovered in late June 2025 by security researchers Ian Carroll and Sam Curr…

Loading...
McDonald’s AI Recruiter Data Breach Exposes 64 Million Job Applicant Records
gotrust.nl · 2025

McDonald's is facing strong backlash after a shocking security lapse exposed sensitive data of nearly 64 million job applicants. The leak occurred because of a default admin password: "123456".

McDonald's is facing strong backlash after a s…

Variants

A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.
Seen something similar?

Similar Incidents

By textual similarity

Did our AI mess up? Flag the unrelated incidents

Loading...
Bug in Facebook’s Anti-Spam Filter Allegedly Blocked Legitimate Posts about COVID-19

Bug in Facebook’s Anti-Spam Filter Allegedly Blocked Legitimate Posts about COVID-19

· 1 report
Loading...
Images of Black People Labeled as Gorillas

Images of Black People Labeled as Gorillas

· 24 reports
Loading...
YouTube's AI Mistakenly Banned Chess Channel over Chess Language Misinterpretation

YouTube's AI Mistakenly Banned Chess Channel over Chess Language Misinterpretation

· 6 reports
Previous Incident