AIAAIC - McDonald’s AI chatbot exposes 64 million job applicants' data

McDonald’s AI chatbot exposes 64 million job applicants' data

Occurred: June 2025
Page published: October 2025

Report incident🔥| Improve page 💁| Access database 🔢

A security flaw in McDonald’s AI-powered recruitment chatbot exposed the personal information of up to 64 million job applicants,

What happened

Researchers discovered in June 2025 that the administration interface of McDonald’s recruitment platform McHire.com, powered by the Olivia chatbot from Paradox.ai, was protected only by default credentials (“123456”) and lacked multi-factor authentication.

The flaw allowed unauthorised access to applicants’ names, emails, phone numbers, home, email and IP addresses, job applied for, resume details, work history, personality test results, and chat transcripts of their interviews.

While the breach was patched quickly and there are no current indications of malicious exploitation, the potential for widespread data misuse is extremely high.

Why it happened

The incident stemmed from elementary security oversights - including weak default credentials and insufficiently protected APIs.

McDonald's blamed Paradox.ai for the oversight, which was later acknowledged by the supplier.

What it means

The tens of millions of job seekers who trusted McDonald’s with sensitive information during the application process are now exposed to identity theft and other risks.

Indirectly, the breach highlights the need for strong cybersecurity measures and strong governance over third-party platforms.

System 🤖

Olivia 🔗

Developer: Paradox.ai
Country: Global
Sector: Travel/hospitality
Purpose: Interact with job applicants
Technology: Generative AI; Machine learning
Issue: Accountability; Privacy; Security; Transparency

Research, advocacy 🧮

Ian Carroll. Would you like an IDOR with that? Leaking 64 million McDonald’s job applications

News, commentary, analysis 🗞️

Related 🌐

AIAAIC Repository ID: AIAAIC2059

Google Sites

Report abuse