McDonald’s AI-powered hiring platform McHire exposed the personal information of over 64 million job applicants due to elementary security flaws discovered by researchers in late June 2025. The vulnerability centered on the platform’s admin panel, which accepted weak default login credentials using both “123456” as the username and password. After an initial failed attempt using “admin” for both fields, the researchers successfully accessed the entire system using the notorious “123456” password combination.
The breach allowed unauthorized access to sensitive data including names, email addresses, phone numbers, home addresses, and IP addresses of job seekers who applied through the chatbot named Olivia. McHire is used by 90% of McDonald’s locations and represents an Insecure Direct Object Reference (IDOR) vulnerability, where applications expose internal object identifiers without verifying user authorization to access the data. The platform was developed by artificial intelligence software firm Paradox.ai and the security flaw highlighted critical weaknesses in enterprise-level hiring systems.
Paradox.ai stated they resolved the issues “within a few hours” after the researchers’ report and clarified that “at no point was candidate information leaked online or made publicly available,” noting the incident only impacted “one organisation” with no other Paradox clients affected. However, only five candidates had their information actually viewed during the research process. The incident serves as a reminder of the importance of implementing proper security measures in AI-powered recruitment platforms, particularly given the sensitive nature of job application data and the scale of potential exposure.