McDonald’s AI hiring bot exposed 64 million job applicants’ data using weak password “123456.”
Security researchers Ian Carroll and Sam Curry found major flaws in McDonald’s McHire platform, built by Paradox.ai. They cracked the system in under 30 minutes with a simple password guess and database tweaks.
The McHire AI chatbot “Olivia” handles applications but the backend lacked basic protections. The admin panel let researchers log in using the username and password “123456”—no multi-factor authentication. 
Once inside, they used an insecure database flaw (IDOR) to scan over 64 million applicant records. This exposed names, emails, phone numbers, and chat logs — all ripe for phishing and fraud.
McDonald’s and Paradox.ai confirmed the breach and fixed it the same day. Paradox.ai launched a bug bounty program to prevent future breaches. They also admitted the compromised test account had been dormant since 2019 and should have been deleted.
This hack reveals how badly AI hiring platforms can fail on security, risking sensitive personal info of millions.
Paradox.ai Chief Legal Officer Stephanie King stated:
Confirmed the findings and announced the implementation of a bug bounty program
The compromised test account had remained dormant since 2019 and should have been decommissioned
Highlighting poor security hygiene in their development practices
