McDonald's AI-tool with password '123456' exposed data of 64M applicants
What's the story
McDonald's is facing a major backlash after a severe security breach exposed sensitive information of 64 million job seekers. The incident was traced back to the use of a default admin password: "123456." The flaw was found by security researchers Ian Carroll and Sam Curry while reviewing McHire, an AI-based recruitment platform used by the fast-food giant.
System vulnerability
How the researchers accessed the data
McHire, which uses an automated chatbot called Olivia to screen and engage applicants, had a hidden flaw. This loophole allowed anyone to access applicants' chat histories with the bot. The researchers found a login option called "Paradox team members" on McHire's admin interface. They tried the default username and password combination "123456," which gave them immediate access not just to a test environment but also real administrative dashboards with live data.
Data exposure
What kind of data was exposed?
The researchers found an internal API endpoint that allowed the fetching of applicant data using a predictable parameter. This insecure direct object reference (IDOR) allowed them to view personal details of the applicants, including chat transcripts with Olivia, names, email addresses, phone numbers, job application details, and even tokens that could allow someone to impersonate a candidate, per CSO Online.
Immediate action
McDonald's and Paradox fixed the vulnerability quickly
Following the disclosure on June 30, both Paradox.ai and McDonald's acted quickly to fix the vulnerability. By July 1, they had disabled the default credentials and secured the endpoint. Paradox.ai also announced plans for further security audits. A staff member from Paradox wrote on its website that they were confident this test account was only accessed by security researchers and no candidate information was leaked online or made publicly available at any point.
Risk assessment
Warning about potential risks
Randolph Barr, Chief Information Security Officer at Cequence Security, warned that while there's no indication the data has been used maliciously yet, its scale and sensitivity could lead to targeted phishing, smishing/vishing, and even social engineering campaigns. He added that combined with AI tooling, attackers could create incredibly personalized and convincing threats.