McDonald’s stored data of 64 million job candidates under the password “123456”: critical vulnerability discovered
McDonald’s recruiting platform discovered a serious security flaw: an AI chatbot was storing sensitive job candidate information under the highly unreliable password “123456.” This created a potential threat of leakage of personal data of about 64 million applicants. About this informs Wired edition.
It’s about the McHire platform, which uses an AI bot named Olivia to automatically interact with candidates. The problem was discovered by cyber security researchers Ian Carroll and Sam Curry. According to them, they were able to access the database simply by selecting the login and entering the password “123456”. As a result, they were exposed to information about names, e-mail addresses, telephone numbers, and even candidates’ correspondence with the bot.
In addition, the Ian.sh site reports that the bot stored applicants’ data in an unsecured form, and another vulnerability was discovered that allowed third parties to see the history of applicants’ interaction with the system.
The platform was developed by Paradox.ai, which confirmed the incident in an official comment. They clarified that the account with a simple password was not hacked by outsiders — only by the researchers themselves. The vulnerability was quickly removed and they assured that no personal data was leaked. At the same time, the company promised to create a bug bounty program to avoid similar situations in the future.
McDonald’s, which is a customer of the service, called the situation “unacceptable” and said that it expects the highest safety standards from its partners. According to company representatives, the vulnerability was closed the day it was discovered, and measures are now being taken to strengthen controls over compliance with cyber security regulations.
The incident once again demonstrated how dangerous it can be to ignore basic rules of cyber hygiene, even in complex systems with artificial intelligence.
