Security researchers Ian Carroll and Sam Curry revealed multiple vulnerabilities in the McDonald’s AI-powered hiring platform, McHire, that exposed the personal information of over 64 million job applicants.
The root of the problem was surprisingly simple: McHire’s administrative interface, designed for restaurant franchisees, accepted the incredibly insecure username and password combination of “123456”. That and an insecure direct object reference (IDOR) allowed to gain entry and immediately granted access to live administrative dashboards. This in turn allowed to access to any inbox to retrieve the personal data of more than 64 million applicants.
Personal information included names, emails, phone numbers, jobs details and chat logs between applicants and McDonald’s AI recruiter, which could have included additional personal information.
McDonald responded swiftly:
June 30, 2025 5:46PM ET: Disclosed to Paradox.ai and McDonald’s
June 30, 2025 6:24PM ET: McDonald’s confirms receipt and requests technical details
June 30, 2025 7:31PM ET: Credentials are no longer usable to access the app
July 1, 2025 9:44PM ET: Followed up on status
July 1, 2025 10:18PM ET: Paradox.ai confirms the issues have been resolved
Read more about it here.