McDonald’s widely used AI hiring assistant, Olivia, designed to screen job applicants on its McHire.com portal, has been found to expose sensitive data from millions of applications due to severe security vulnerabilities. The breach was discovered by security researchers Ian Carroll and Sam Curry, who stumbled upon flaws that allowed full backend access using one of the most common passwords: “123456.”
Built and operated by Paradox.ai, an AI recruitment software company, Olivia is used by McDonald’s franchisees globally to conduct automated applicant chats, collect resumes, and direct candidates through personality assessments. But the platform’s outdated and unsecured systems created a perfect storm for a data breach affecting job seekers’ privacy.
Security Lapses: No MFA, Common Passwords, and Unsecured Test Accounts
The researchers gained access to the backend after discovering a login page for Paradox.ai staff on McHire.com. Without any multi-factor authentication, they successfully logged in using basic credentials—first trying “admin” and then “123456”—and were granted administrative privileges to a test restaurant location.
From there, they discovered a second flaw: the ability to manipulate applicant ID numbers in the URL. This allowed them to access the chat logs and personal details of other applicants simply by changing the ID digits. They estimate that more than 64 million records were potentially exposed, although they only viewed a limited number to avoid ethical and legal violations.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
These records included names, phone numbers, email addresses, and full chat histories with Olivia. In some cases, applicants’ résumés and job preferences were also visible. WIRED independently verified that two of the records reviewed were authentic applications made on the McHire platform.
Company Response: “We Own This” Says Paradox.ai
Paradox.ai confirmed the breach in a blog post, acknowledging that the test account with the “123456” password hadn’t been accessed since 2019 and “should have been decommissioned.” The company emphasized that the only known access came from the researchers and no malicious exploitation was detected.
Stephanie King, Paradox.ai’s Chief Legal Officer, stated: “We do not take this matter lightly, even though it was resolved swiftly and effectively. We own this.” The company has now launched a bug bounty program to preemptively detect future vulnerabilities.
McDonald’s, in its statement to WIRED, placed the blame squarely on its third-party vendor. “We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated immediate remediation,” the company said.
Bigger Implications: AI Hiring, Privacy, and Exploitation Risks
While no highly sensitive information like Social Security numbers or banking details were leaked, the exposed data still posed a serious phishing and fraud risk. Since the records clearly identified applicants’ intentions to work at McDonald’s—a minimum wage job for many—it could have been exploited for employment scams, fake onboarding links, or financial fraud schemes under the guise of HR communication.
Carroll, one of the researchers, emphasized the dystopian irony of the situation: “You’re already being screened by a robot to flip burgers. Then your personal data gets leaked because that same robot’s maker used ‘123456’ as a password.”
He and Curry also warned that associating exposed data with job-seeking behavior can lead to unnecessary social embarrassment, even if it shouldn’t. “This data, if misused, tells a story about economic vulnerability,” Curry added.