In a shocking display of password security that would make even the most casual internet user cringe, McDonald’s AI hiring platform was found to have used “123456” for both its username and password. The vulnerability, discovered by researchers Ian Carroll and Sam Curry, exposed a staggering 64 million job applicant records in the McHire system, powered by Paradox.ai’s Olivia chatbot.
Let that sink in. Sixty-four million people. One laughably weak password. Your Netflix account probably has better protection.
A password so weak it makes your grandma’s “password123” look like Fort Knox.
The researchers demonstrated they could easily access admin controls and applicant data through a public-facing login page. Names, email addresses, phone numbers, resumes, chat logs—all potentially available to anyone who could guess the digital equivalent of leaving your house key under the doormat.
McDonald’s, true to corporate form, quickly distanced itself from the mess. Not our systems, they said. Just a third-party vendor. Paradox.ai, meanwhile, promptly patched the vulnerability after being notified and launched a bug bounty program to find any other security holes in their swiss cheese infrastructure.
The good news? No evidence suggests anyone besides the researchers accessed the data before reporting. The bad news? This exposure spanned years of collected data, creating a potential goldmine for identity theft and wire fraud. This incident highlights why MSPs need AI-powered security to detect unusual patterns that could indicate data breaches before they escalate.
Experts didn’t hold back criticism of both companies. Entrusting sensitive personal information to external systems without proper security vetting? Rookie mistake. Automating HR functions without robust cybersecurity? Disaster waiting to happen. The researchers gained full access to historical applications after just 30 minutes of investigation.
The incident serves as a stark reminder of supply chain vulnerabilities. When McDonald’s relies on Paradox.ai, which apparently relies on password security from 1995, everybody loses. The exposure included job candidates’ personality test results that were part of the McHire application process.
Paradox.ai has accepted responsibility for the security lapse and is working with McDonald’s to strengthen protections. The absence of multi-factor authentication made the situation worse—practically inviting unauthorized access.
In the end, it’s a cautionary tale. Your personal data is only as secure as the weakest password in the chain. And sometimes, that’s really, really weak.
References
- https://www.pcgamer.com/software/ai/mcdonalds-serves-up-super-size-ai-botch-with-a-mchire-platform-that-allowed-admin-access-to-64-million-candidate-chats-with-the-username-and-password-123456/
- https://www.techradar.com/pro/security/mcdonalds-ai-recruiting-platform-had-a-really-embarrassing-security-flaw-which-left-millions-of-users-open-to-attack
- https://www.techrepublic.com/article/news-mcdonalds-applicants-ai-hiring-tool-security-vulnerability/
- https://ian.sh/mcdonalds
- https://www.malwarebytes.com/blog/news/2025/07/mcdonalds-ai-bot-spills-data-on-job-applicants
