Security researchers have uncovered a critical vulnerability in McDonald’s AI-powered hiring chatbot, McHire, which left the personal data of 64 million job applicants exposed. By using the rudimentary password “123456,” investigators were able to bypass security protocols and access sensitive candidate information.
A Massive Data Exposure Risks
The breach was discovered by security researchers Ian Carroll and Sam Curry, who detailed their findings in a technical post. During a brief security assessment, the duo identified that the chatbot—managed by third-party vendor Paradox.ai—relied on incredibly weak authentication. Beyond the simple password, the researchers also exploited a secondary flaw in an internal API that granted access to historical conversations between applicants and the recruitment bot.
Sensitive Information at Stake
The exposure was extensive, potentially compromising the privacy of millions of individuals. Data accessible through these security gaps included:
- Full legal names
- Personal email addresses
- Residential home addresses
- Private phone numbers
Paradox.ai Responds to Security Failures
Following the disclosure, Paradox.ai issued a formal update confirming that the vulnerabilities were patched within hours of the initial report. The company maintains that, despite the accessibility of the interface, no candidate information was leaked to the public or exfiltrated by malicious actors.
The Growing Risk of AI Recruitment Tools
The incident, initially reported by Wired, highlights the escalating security risks associated with the rapid integration of AI-driven recruitment platforms. As companies increasingly rely on automated systems to manage massive hiring pipelines, this failure serves as a stark reminder of the necessity for rigorous penetration testing and robust credential management in enterprise-level software.