Unauthorized Access Granted to Job Application Data of 64 Million McDonald's Aspirants Through Use of Password '123456'
In a shocking turn of events, a cybersecurity breach has been uncovered in McDonald's McHire recruitment platform, a service that utilises an AI-powered chatbot named Olivia, provided by Paradox.ai. The breach was primarily caused by an extremely weak default password ("123456") on the admin login, allowing independent security researchers to gain unauthorised access to sensitive personal information of over 64 million job applicants[1][3][4].
### The Breach Unveiled
The researchers, Sam Curry and Ian Carroll, were able to log into the McHire system with minimal effort, using the simple password combination 123456. Once logged in, they identified an API endpoint vulnerability that allowed them to access information related to chat interactions in the affected client instance[1]. This information included names, email addresses, phone numbers, addresses, the state where the job candidate lived, and the auth token they used to gain access to the website[3].
Moreover, the researchers were able to see every chat interaction that has ever taken place between applicants and the McHire AI bot[3]. They also gained administrative access to a test restaurant inside the McHire system[1]. Remarkably, the test account's password had never been updated, despite updated password security standards being in place[1].
### Rapid Response and Resolution
Paradox.ai responded promptly after the breach was reported by the researchers. They resolved the security issues within a few hours of notification, closing the exposed access completely[1][3]. Paradox.ai stated that no candidate information was leaked online or made publicly available despite the vulnerability[1].
### Steps Towards Improvement
Paradox.ai acknowledged the severity of the issue and took full responsibility for the security lapse[2]. They have committed to implementing a bug bounty program to proactively identify and fix similar vulnerabilities in the future[2]. McDonald's, on the other hand, emphasised the importance of holding third-party providers accountable for cybersecurity and expressed their commitment to promptly address any gaps in data protection[2].
### A Call for Enhanced Cybersecurity Standards
This incident underscores the critical need for rigorous cybersecurity standards, especially when handling sensitive personal data through AI-driven platforms in major corporate operations. The breach was a result of poor security hygiene—specifically the use of a simple default password without multifactor authentication[1][2][4]. Both McDonald's and Paradox.ai have now taken steps to strengthen their cybersecurity posture by quickly patching the vulnerabilities and committing to ongoing security improvements, including bug bounty initiatives and tighter access controls[1][2][4].
Gizmodo reached out to both companies for more information.
- Gizmodo reported that independent security researchers, Sam Curry and Ian Carroll, discovered a cybersecurity breach in McDonald's McHire recruitment platform, which utilizes an AI-powered chatbot named Olivia, provided by Paradox.ai.
- The breach was primarily caused by an extremely weak default password ("123456") on the admin login, allowing the researchers to access sensitive personal data of over 64 million job applicants.
- After the breach was reported, Paradox.ai rescued the security issues and closed the exposed access, ensuring no candidate information was leaked online or made publicly available.
- Following the incident, both McDonald's and Paradox.ai have committed to enhancing their cybersecurity measures, including implementing a bug bounty program, tighter access controls, and emphasizing the importance of rigorous cybersecurity standards, particularly when handling sensitive personal data through AI-driven platforms.
