A significant breach at McDonald’s has resulted in the exposure of personal information belonging to millions of job applicants after hackers exploited the fast-food chain’s AI hiring bot using the exceedingly simple password: “123456.” The bot, known as Olivia, is utilized by numerous McDonald’s franchisees to assist in screening applicants. Security researchers Ian Carroll and Sam Curry discovered that they could easily access the backend system, operated by Paradox.ai, by entering “123456” as both the username and password, revealing a critical security flaw as no multi-factor authentication was in place, according to Wired.
Carroll and Curry also attempted one additional username/password combination: “admin.” Once they gained entrance, the researchers reported being able to access approximately 64 million chat records, which included applicants’ names, email addresses, and phone numbers, as detailed in a blog post. They noted that the vulnerability allowed them to view records simply by altering applicant ID numbers.
Paradox.ai acknowledged the breach, confirming that only a small portion of the accessed records contained personal information and asserting that no unauthorized access occurred beyond the researchers’ exploratory efforts. The company has since rectified the vulnerability and launched a bug bounty program, emphasizing that the incident is being taken seriously.
McDonald’s criticized the security lapse as “unacceptable” and placed responsibility on Paradox.ai, insisting that the vendor promptly address the issue. Both parties reported that the problem was resolved the same day it was identified. Carroll and Curry initiated their investigation after observing complaints about the AI chatbot’s effectiveness online. They cautioned that although the compromised data was not exceptionally sensitive, it could still be exploited for phishing scams or payroll fraud if discovered by malicious actors. The researchers highlighted that the urgency of applicants awaiting responses could increase their susceptibility to impersonation attempts.
