McDonald’s AI Hiring Bot Exposes 64 Millions Job Applicants In Major Data Breach

Image by Erik Mclean, from Unsplash

McDonald’s AI Hiring Bot Exposes 64 Millions Job Applicants In Major Data Breach

Reading time: 2 min

Last Updated: Jul 11, 2025

The weak password on McDonald’s hiring chatbot exposed millions of job applicants’ data, , raising serious concerns about AI, privacy, and digital security practices.

In a rush? Here are the quick facts:

  • McHire’s AI bot exposed over 64 million McDonald’s applicant records to hackers.
  • Hackers accessed data using the password “123456” on a Paradox.ai account.
  • Personal details like names, emails, and phone numbers were viewable.

A serious security flaw in McDonald’s hiring platform exposed millions of job applicants’ personal data using shockingly basic methods, as first reported by WIRED. The security issue was found on McHire.com, which allows candidates to interact with “Olivia,” the AI chatbot developed by Paradox.ai for candidate screening.

WIRED reports that security experts Ian Carroll and Sam Curry gained access to McHire’s backend system through the combination of the username and password “123456.” The researchers gained access to applicant information, including names, emails, phone numbers, and chat logs from more than 64 million records after entering the system.

“I just thought it was pretty uniquely dystopian compared to a normal hiring process,” said Carroll to WIRED. “So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years,” Carroll added.

Paradox.ai confirmed the flaw in a statement and said only a small number of records contained personal data. The exposed account hadn’t been accessed since 2019 and lacked basic protections like multifactor authentication. “We do not take this matter lightly,” said Paradox.ai’s chief legal officer, Stephanie King, as reported by WIRED. “We own this,” he added.

WIRED reported that McDonald’s released a different statement, which pointed to Paradox.ai as the source of the problem and stated that the issue was fixed immediately. “We’re disappointed by this unacceptable vulnerability from a third-party provider,” the company said.

Carroll and Curry explained that the exposed data could be used to execute phishing attacks by impersonating McDonald’s HR staff, who would request sensitive financial information from applicants. The exposed data included non-sensitive information, but its context as minimum-wage job applications created potential risks for harm to applicants.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback