McDonald’s AI hiring chatbot had major security hole exposing millions of job applicants
McDonald’s is reeling after security researchers uncovered glaring flaws in the AI chatbot it uses to screen job applicants. The chatbot, Olivia—built by Paradox.ai—is used on McHire.com, the platform many McDonald’s franchisees rely on for applications.
The issue started when hackers Ian Carroll and Sam Curry found the system’s backend protected by laughably weak credentials, like the password “123456.” This gave them access to Paradox.ai’s databases holding as many as 64 million chat records, including names, emails, and phone numbers of applicants. 
Carroll said he stumbled on the problem after growing suspicious of the dystopian hiring process run by AI. After 30 minutes of testing, he had “full access to virtually every application that’s ever been made to McDonald’s going back years.”
Paradox.ai admitted the security hole but said only a fraction of records contained personal info. The company confirmed the weak-password account was never accessed by anyone except the researchers. Paradox.ai is launching a bug bounty program to tighten security.
McDonald’s blamed its third-party partner and demanded an immediate fix upon learning of the breach. The vulnerability was patched the day it was reported.
Stephanie King, Paradox.ai chief legal officer, told WIRED:
We do not take this matter lightly, even though it was resolved swiftly and effectively.
We own this.
McDonald’s also said in a statement:
We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai.
As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us.
We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.
