A security lapse in McDonald’s AI-powered hiring platform ‘Olivia’ has exposed the personal information of millions of job applicants. Security researchers found the McHire system, powered by Paradox.ai, was accessible through a basic default password that had never been changed.
This follows a major data breach from Qantas that compromised the personal information of up to six million customers.
Related Article Block Placeholder
Article ID: 319296
How researchers discovered the McDonald’s AI hiring vulnerability
The breach was discovered in July 2025 by security researchers Ian Carroll and Sam Curry. After receiving complaints about the AI chatbot’s erratic performance, they began probing for weaknesses.
They discovered that the backend of the McHire platform could be accessed by logging in with the default administrator password: 123456.
This oversight, a common occurrence in businesses, meant that anyone who tried the most obvious password could have gained access to applicant records going back years.
Related Article Block Placeholder
Article ID: 319766
“I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that’s what made me want to look into it more,” Carroll told Wired.
“So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years.”
The McHire platform, used by more than 90% of McDonald’s franchisees, processes applications for a wide range of roles.
The researchers discovered applicant records were indexed sequentially, meaning anyone with backend access could scroll through and view the personal details of up to 64 million individuals who had applied for jobs.
The exposed data included names, email addresses, phone numbers, and physical addresses. While social security numbers and other highly sensitive identifiers were not visible, experts warn the available information could be exploited for phishing or identity theft.
McDonald’s and Paradox.ai respond to the data breach
McDonald’s has addressed the incident directly, with a spokesperson expressing the company’s disappointment and outlining the steps taken in response.
Related Article Block Placeholder
Article ID: 318779
“We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us,” the spokesperson said.
“We take our commitment to cybersecurity seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.”
Paradox.ai also publicly acknowledged the breach and accepted responsibility.
“We do not take this matter lightly, even though it was resolved swiftly and effectively. We own this,” Paradox.ai’s chief legal officer Stephanie King said.
The company clarified, based on its records, the exposed account was only accessed by the security researchers and not by any unauthorised third parties.
Paradox.ai also stated the vulnerability was fixed as soon as it was reported, and both the weak password and API endpoint issues have been resolved.
Additionally, Paradox.ai announced the launch of a bug bounty program to better identify and address security vulnerabilities, along with additional security initiatives to prevent similar incidents in the future.
The McDonald’s breach has reignited debate about the rapid adoption of artificial intelligence in sensitive business processes without adequate oversight.
As AI becomes increasingly central to recruitment and HR operations, this incident is a reminder that even the most advanced systems are only as secure as their most basic settings.
