.png){kind=logo}
McDonald’s AI Hiring Bot Exposes 64 Million Applicants in Major Data Breach
McDonald's has landed itself in an AI hiring controversy. The company’s AI recruiting platform has allegedly exposed information of 64 million job candidates due to a serious security flaw. The breach, reported in late June 2025, reveals the rising concern about the security of automated recruitment systems.
What is McHire and Who is Behind it?
The vulnerability was found in McHire, which is McDonald’s recruitment platform. It was powered by Olivia, an AI Chatbot created by Paradox.ai. Olivia communicates with applicants in ways like screening resumes, scheduling interviews, and administering personality tests.
Security Researchers Unearth Alarming Security Flaws
Cybersecurity researchers Ian Carroll and Sam Curry uncovered troubling flaws with the platform. Most notably, they discovered that the backend of McHire was secured with only the default password, ‘123456’. It allowed completely unrestricted access to sensitive applicant data available on the platform.
Researchers also uncovered an Insecure Direct Object Reference (IDOR) vulnerability, which allowed any person in possession of a valid URL to obtain applicant data simply by changing the ID, without requiring any hacking tools.
Which Type of Data Was Exposed?
Some of the exposed materials included names, email addresses, phone numbers, resumes, chat transcripts, and personality test responses. Carroll said the breach was like ‘walking into an unlocked vault,’ in light of growing concerns associated with identity theft and phishing attacks.
What McDonald's and Paradox.ai Did
McDonald's and Paradox.ai each acted quickly when alerted. By early July, both companies had patched the vulnerability. Paradox.ai also launched a bug bounty program to facilitate ethical hacking and better future threat recognition. The company confirmed that the data breach was only accessible to the researchers who had alerted them.
A Call to Action for AI Security
In their public statement, McDonald's expressed disappointment and promised further scrutiny of third-party vendors in the future. Paradox.ai noted the failure and stated that they are going to improve their cybersecurity practices. Experts say this breach reinforces the need for AI systems to follow basic security protocols.
The Bigger Picture: AI Ethics and User Safety
There haven't been any accounts of misuse regarding the vulnerability disclosed. However, the breach has only heightened the concern of AI-related privacy risks. For 64 million job-seekers affected, it represents the need to have better protections with an emphasis on ethical design.
Also Read: How AI is Transforming Salaries, Jobs, Hiring and Firing?
