A severe security vulnerability in McDonald’s AI-powered hiring system has exposed the personal information of potentially 64 million job applicants to unauthorized access. 

Key Takeaways
1. McDonald's AI hiring bot exposed 64 million job applicants' personal data through weak security using password "123456."
2. Researchers accessed the entire system in 30 minutes using simple password guessing and database manipulation.
3. Names, emails, phone numbers, and chat logs were accessible, enabling potential phishing and fraud schemes.
4. Both companies acknowledged the breach, fixed it same day, and Paradox.ai launched a bug bounty program.

Security researchers Ian Carroll and Sam Curry discovered that the McHire platform, built by artificial intelligence software firm Paradox.ai, suffered from elementary security flaws that allowed hackers to access applicant databases using credentials as simple as the username and password “123456.” 

The breach highlights critical cybersecurity failures in AI-driven recruitment systems and raises serious concerns about data protection in automated hiring processes.

AI Hiring Bot Leaks Applicant Data

McDonald’s McHire platform relies on an AI chatbot named “Olivia” to streamline the recruitment process for franchise locations. 

This automated system conducts initial applicant screenings, collects contact information and résumés, and directs candidates through personality assessments. 

The chatbot utilizes natural language processing algorithms to interact with job seekers, though many applicants have reported frustrating experiences with the AI’s inability to understand basic queries correctly.

The platform represents a significant shift toward AI-driven human resources management, where machine learning algorithms replace traditional human recruiters in the initial stages of hiring. 

However, this technological advancement came with severe security vulnerabilities that exposed sensitive applicant data. 

The system’s backend infrastructure, developed by Paradox.ai, stored comprehensive chat logs and personal information from millions of interactions between job seekers and the AI chatbot.

The security researchers identified multiple critical vulnerabilities through systematic penetration testing of the McHire platform. 

Their investigation began with attempts to find prompt injection vulnerabilities—a technique where attackers manipulate large language models by sending specific commands to bypass AI safeguards. 

When these attacks proved unsuccessful, they pivoted to examining the platform’s authentication mechanisms.

The breakthrough came when Carroll discovered a Paradox.ai staff login link on McHire.com and attempted common credential combinations. 

Using basic dictionary attacks, they successfully gained administrator access with the laughably weak password “123456.” 

The compromised account lacked multi-factor authentication, a fundamental security control that could have prevented unauthorized access.

Once inside the system, the researchers identified an Insecure Direct Object Reference (IDOR) vulnerability in the applicant database. 

By manipulating applicant ID numbers starting from values above 64 million, they could enumerate through records and access other applicants’ personal information. 

This vulnerability allowed complete database traversal, exposing names, email addresses, phone numbers, and chat histories spanning multiple years.

McDonald’s and Paradox.ai Responded

The exposed dataset potentially contained personal information from 64 million applicants, though Paradox.ai claims only a fraction included sensitive data. 

The researchers accessed seven records during their investigation, with five containing personally identifiable information. 

This data exposure created significant risks for affected individuals, particularly regarding targeted phishing attacks where fraudsters could impersonate McDonald’s recruiters to harvest financial information for payroll scams.

Both McDonald’s and Paradox.ai acknowledged the severity of the breach, with McDonald’s expressing disappointment in their third-party provider’s security failures. 

Paradox.ai’s Chief Legal Officer, Stephanie King, confirmed the findings and announced the implementation of a bug bounty program to identify future vulnerabilities. 

The company emphasized that the compromised test account had remained dormant since 2019 and should have been decommissioned, highlighting poor security hygiene in their development practices.

Think like an Attacker, Mastering Endpoint Security With Marcus Hutchins – Register Now

The post McDonald’s AI Hiring Bot With Password ‘123456’ Leaks Millions of Job-Seekers Data appeared first on Cyber Security News.