251/68 Monday, July 14, 2025
Cybersecurity researchers have discovered a critical vulnerability in McHire, the chatbot-powered hiring platform used by McDonald’s to recruit employees across the United States. The flaw exposed personal data and chat conversations from over 64 million job applications, primarily due to the system’s admin panel using weak default credentials—both the username and password were set to “123456.” The vulnerability was discovered by researchers Ian Carroll and Sam Curry, who submitted a test application to a sample franchise and found that by slightly altering the application ID, they could access other applicants’ data.
McHire is operated by Paradox.ai and is reportedly used by about 90% of McDonald’s franchises in the U.S. The platform’s chatbot, named “Olivia,” collects sensitive information such as full name, email, phone number, address, work availability, and even personality assessments. However, the system’s API was found to be vulnerable to an IDOR (Insecure Direct Object Reference) flaw, which allowed unauthorized access to other users’ data simply by modifying the application ID in the HTTP request, without any access control checks in place.
Following the disclosure, McDonald’s responded within an hour and immediately disabled the admin account using the default credentials. The company issued a statement blaming external vendor Paradox.ai for the security lapse, calling it “unacceptable.” Paradox responded by patching the IDOR vulnerability the same day and announced a full internal review to prevent similar issues in the future. While the company claimed that some exposed chatbot interactions may not have included personal data, researchers emphasized that this remains a significant risk in modern digital recruitment systems.
