McDonald’s AI Hiring Tool Exposes 64M Applicants’ Data

Security researchers Ian Carroll and Sam Curry discovered a critical vulnerability in McDonald's AI-powered hiring platform, Olivia, operated by Paradox.ai, which exposed the personal data—including names, email addresses, phone numbers, and chat histories—of up to 64 million job applicants globally. The researchers gained administrator access using the default credentials '123456' for both username and password, with no multi-factor authentication in place. This security lapse raised serious concerns about data protection and the potential for phishing attacks targeting job seekers. Both Paradox.ai and McDonald’s confirmed the breach, while Paradox.ai emphasized that the issue was resolved promptly and that only the researchers accessed the data. Paradox.ai also announced plans to implement a bug bounty program to strengthen security. McDonald’s expressed disappointment in Paradox.ai’s oversight and stressed the need for robust cybersecurity in recruitment processes.