Associated Incidents
McDonald's is facing strong backlash after a shocking security lapse exposed sensitive data of nearly 64 million job applicants. The leak occurred because of a default admin password: "123456".
McDonald's is facing strong backlash after a shocking security lapse exposed sensitive data of nearly 64 million job applicants. The leak occurred because of a default admin password: "123456".
Security researchers Ian Carroll and Sam Curry discovered the breach in late June 2025. They were reviewing McHire, McDonald's AI-powered hiring platform. McHire uses a chatbot called Olivia to screen candidates and gather details like names, emails, phone numbers, shift choices, and even personality test results.
The researchers noticed that the admin login page had an option labelled "Paradox team members," which refers to Olivia's maker, Paradox.ai. When they typed "123456" as both username and password, they gained immediate access. This was not just to a test environment, but to live dashboard showing real applicant data.
Once inside, they found a flaw called an insecure direct object reference (IDOR) in the platform's internal API. This bug lets them change ID numbers to access sensitive data. They could view full applicant profiles, chat logs, and even tokens used for impersonating candidates. The amount and sensitivity of this data caused serious concerns about possible phishing, impersonation, and social engineering attacks.
McDonald's and Paradox.ai acted fast after the problem was revealed on June 30. By July 1, they disabled the default login details and fixed the weak endpoint. Paradox.ai also said they would do more security checks and clarified that only five candidate records were viewed, and only by the researchers. No data was leaked publicly.
Experts say this incident highlights a growing problem. Companies rush to use AI tools without taking enough cybersecurity measures. "Even sophisticated AI systems can be compromised by elementary oversights," said Aditi Gupta of Black Duck Consulting. The breach also shows the risks of using third-party platforms, especially in franchise models where security standards can vary widely.
With AI now playing a big role in hiring, this case serves as a wake-up call for organisations to treat recruitment platforms with the same level of security as core business systems.