McDonald's McHire AI Recruitment Platform Reportedly Exposed Data of 64 Million Applicants via Default Login and API Vulnerability

In late June 2025, security researchers Ian Carroll and Sam Curry discovered critical vulnerabilities in McDonald's AI-powered hiring platform McHire, which uses an automated recruiter bot called Olivia created by Paradox.ai. The researchers found that the administrative interface accepted default credentials '123456' for both username and password, granting immediate access to live administrative dashboards rather than just test environments. Additionally, they discovered an insecure direct object reference (IDOR) vulnerability in an internal API that allowed access to applicant data by simply changing ID parameters. This combination of flaws potentially exposed sensitive personal information of up to 64 million job seekers, including chat histories with the AI bot, contact information, shift preferences, personality test results, and authentication tokens. The vulnerabilities were discovered during a security review prompted by Reddit user complaints about the bot's nonsensical answers. Upon disclosure on June 30, 2025, both McDonald's and Paradox.ai responded within an hour, disabling default credentials and securing the endpoint by July 1. Paradox.ai stated that only five candidate records were actually viewed by the researchers and no data was leaked publicly or accessed by malicious third parties.