A significant security breach exposed sensitive data of up to 64 million job applicants on McDonald's AI-powered hiring platform, McHire. The vulnerability stemmed from a default admin logi…
A significant security breach exposed sensitive data of up to 64 million job applicants on McDonald's AI-powered hiring platform, McHire. The vulnerability stemmed from a default admin login using the easily guessable credentials "123456" and an insecure direct object reference (IDOR) in an internal API.
This allowed security researchers Ian Carroll and Sam Curry to access administrative dashboards and retrieve applicant data, including chat transcripts, contact information, and job application details. The incident highlights the risks associated with deploying AI systems without prioritizing fundamental security measures, even for sophisticated platforms.
The researchers discovered the flaws in late June 2025 and were able to gain access to the system's live administrative dashboards. By exploiting the IDOR vulnerability, they could manipulate the API to access data of various applicants. This exposure included timestamps, shift preferences, personality test outcomes, and tokens that could impersonate candidates.
The breach underscores the potential for attackers to leverage such vulnerabilities for phishing, social engineering, and other malicious activities, especially with the aid of AI tools. Following the disclosure on June 30, 2025, McDonald's and Paradox.ai (the creator of Olivia, the AI recruiter) swiftly addressed the issue.
The default credentials were disabled, and the API endpoint was secured by July 1. Paradox.ai also committed to further security audits. Although there's no evidence of malicious use of the data, experts warned about the potential for targeted attacks. The incident serves as a reminder that organizations must integrate robust security practices into their AI systems and hiring workflows.
As Kobi Nissan, Co-founder and CEO at MineOS, emphasized, AI systems handling personal data should adhere to the same privacy, security, and access controls as core business systems, including authentication, auditability, and integration into risk workflows.