In late June 2025, security researchers Ian Carroll and Sam Curry uncovered a shocking flaw in McDonald’s AI hiring platform McHire, powered by Paradox.ai. They discovered an admin login using the default credentials username: 123456 and password: 123456, granting them full backend access to chat logs from approximately 64 million job applicants
Extent of Exposed Data
Once inside via the admin console, the researchers also exploited an Insecure Direct Object Reference (IDOR) vulnerability, enabling them to browse through applicant IDs and view full chat transcripts. The exposed data included:
- Names, email addresses, phone numbers
- Chat histories with the AI interviewer “Olivia”
- Application metadata like shift preferences
Response & Fixes
- The vulnerability was found on June 30, reported immediately, and both McDonald’s and Paradox.ai patched it within hours—disabling the default account and securing API access .
- Paradox.ai confirmed only the researchers accessed five chat records; no malicious third-party access was detected
- The company has since started a bug bounty program and pledged to strengthen security protocols
Why It Matters
- Massive scope: Personal data of millions—reviewed without consent—raises serious privacy and legal concerns under data protection laws.
- Tech accountability: Highlights that even advanced AI systems can be compromised by elementary mistakes like leaving default logins in place
- Phishing risk: Exposed data could be exploited for targeted scams or identity theft, especially using personalized context from interview chat logs
Broader Implications
Cybersecurity analysts stress that AI-based HR platforms must meet the same rigorous security standards as other sensitive data systems—authentication, API protection, and access control are non-negotiable. This incident mirrors similar data exposures like Azure Blob misconfigurations seen in other hiring platforms.
What Happens Next
- Paradox.ai: conducting deeper audits and expanding bug bounty defenses.
- McDonald’s: reviewing vendor practices and enforcing stricter security requirements.
- Applicants: advised to monitor for phishing attempts and safeguard personal information.
- Industry: this serves as a wake-up call—AI-powered automation must not overlook basic security hygiene, especially when handling sensitive data.
