Security flaw in McDonald’s AI recruitment system exposes data of millions of applicants

Posted date 19/08/2025

In June 2025, security researchers discovered a serious vulnerability in McHire, McDonald’s recruitment platform powered by the Olivia AI chatbot developed by Paradox.ai. Access to the administration interface of a test environment was protected by only the default credentials “123456”, a basic security flaw caused by leaving a test account active with a weak password and without additional security measures such as those provided by multi-factor authentication.

This flaw, combined with another technical vulnerability (IDOR), allowed access to records from up to 64 million job applications, including personal information such as names, emails, phone numbers and virtual interviews transcripts. The breach affected applicants from different countries, multiplying the scope of the incident.

Paradox.ai disabled the vulnerable account on the same day it was notified and announced a bug bounty program. McDonald’s described the incident as “unacceptable” and will strengthen its security requirements for providers. The case illustrates how a basic configuration oversight can trigger a massive data breach, even in environments using advanced technologies like artificial intelligence.