Article
Cloud & Cybersecurity

McDonald's Breach Exposes Data of Millions of Job Applicants

By James Darley
July 14, 2025
undefined mins
Share this article
Prioritise Us on Google
Share this article
Prioritise Us on Google
McDonald’s AI hiring chatbot exposed 64 million job applications
A McDonald’s data breach exposes the data of 64 million job applicants after security researchers discover Paradox.ai’s weak password for its AI chatbot

The speed at which AI is evolving makes for an exciting time in the tech sector, but a worrying time in the cybersecurity sector, with many experts concerned that security systems are being overexposed.

This week, McDonald's has fanned the flames of those concerns.

In a significant data breach, the fast-food chain lost the data of millions of job applicants after it was compromised by fundamental security weaknesses in an AI chatbot system the firm was using for candidate screening.

Security experts Ian Carroll and Sam Curry found they could gain access to 64 million records featuring applicants' names, email addresses and phone numbers by taking advantage of flaws in the McHire platform.

The platform, developed by AI software company Paradox.ai, employs a chatbot named Olivia to carry out preliminary job interviews.

The experts gained entry to the backend systems using basic methods, including correctly guessing that an administrator account utilised "123456" as both username and password.

Ian Carroll, Security Researcher | Credit: X

What happened?

Ian, who has experience in independent security research, explains he first examined the system after encountering complaints about the chatbot's functionality.

"I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more," he tells WIRED.

"So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years."

The breach happened when Ian and Sam decided to examine the chatbot for prompt injection weaknesses.

These attacks involve transmitting particular commands to large language models (LLMs) to circumvent their protective measures.

Youtube Placeholder

When they couldn't locate such vulnerabilities, they noticed a login link for Paradox.ai personnel on the McHire website.

Ian tried standard login credentials, initially attempting "admin" for both username and password, then "123456".

The second try worked, providing administrator access to a test McDonald's restaurant on McHire without multifactor authentication.

Paradox.ai's Chief Legal Officer Stephanie King acknowledges the researchers' discoveries: "We do not take this matter lightly, even though it was resolved swiftly and effectively. We own this."

The firm explains in a blog post that the breached test account "had not been logged into since 2019 and frankly, should have been decommissioned."

Paradox.ai confirms the account "was not accessed by any third party" other than the security researchers.

Paradox.ai’s CLO Stephanie King

McDonald's shifting blame to third-party provider

After gaining entry to the system, Ian and Sam uncovered a second weakness.

They discovered they could alter applicant ID numbers to access other candidates' chat histories and contact details.

The researchers viewed seven records altogether, with five containing personal data of individuals who had used the McHire site.

The compromised information included names, email addresses, phone numbers and IP addresses, although not Social Security numbers.

Paradox.ai observes that "the majority of the chat interaction records were not tied to a candidate in the system and did not include candidate personal information".

However, McDonald's assigns responsibility to its supplier.

"We're disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai," the company states.

"As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately and it was resolved on the same day it was reported to us.

"We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection."

Paradox.ai automates hiring with conversational AI, streamlining candidate screening, scheduling and engagement for enterprises

The risks of phishing

The employment situation makes the information particularly useful for criminals who could pose as McDonald's recruiters to solicit financial details for direct deposit arrangements.

Sam emphasises the specific dangers created by the breach: "Had someone exploited this, the phishing risk would have actually been massive.

"It's not just people's personally identifiable information and résumé. It's that information for people who are looking for a job at McDonald's, people who are eager and waiting for emails back.

"If you wanted to do some sort of payroll scam, this is a good approach."

The incident impacts only one Paradox.ai customer, with the company confirming that "our other client instances were not impacted."

Sam Curry, Security Researcher | Credit: Cybereason

Paradox.ai supplies AI-driven recruitment software to various organisations beyond McDonald's.

Following the breach, Paradox.ai has introduced new security protocols including revised password requirements and API endpoint fixes.

The company is also establishing a bug bounty programme to discover future vulnerabilities and has created a dedicated security contact email.

"We take responsibility for this issue. Full stop," Stephanie says.

"Our clients and their candidates place their trust in us, and we are committed to maintaining that trust."

Company portals

Tags

McDonaldsAIAI securityCyberSecurityParadox.ai