McDonald's AI Hiring Bot Exposes Data of 64 Million Applicants

Security researchers Ian Carroll and Sam Curry uncovered critical vulnerabilities in McDonald's AI-powered recruitment platform, McHire, developed by Paradox.ai, which exposed sensitive personal information of approximately 64 million job applicants. The breach was enabled by a weak default administrator password, "123456," combined with an insecure direct object reference (IDOR) flaw in the McHire API, allowing access to names, emails, phone numbers, candidacy states, shift preferences, and raw chat messages. Despite McHire being adopted by 90 percent of McDonald's U.S. franchises and handling large volumes of applicant data, basic security measures were neglected, highlighting a dangerous gap between AI innovation and foundational cybersecurity practices. This incident underscores the risks of relying on third-party AI vendors without thorough security vetting and raises concerns over compliance with data protection regulations like GDPR and CCPA. McDonald's and Paradox.ai have acknowledged the leak and are working to strengthen their systems, but trust issues remain for millions of affected applicants. The case serves as a stark reminder that advanced AI hiring tools must be paired with rigorous security frameworks to protect sensitive personal data in recruitment workflows.