If you have ever applied for a job at McDonald's in the United States, there is a reasonable chance your name, email address, phone number, shift preferences, and personality test answers spent years sitting behind a password of "123456."

McHire is McDonald's AI-powered hiring platform. Job applicants interact with a chatbot named Olivia, built by a company called Paradox.ai. Olivia collects personal information, asks about availability, administers personality assessments, and moves candidates through the hiring pipeline. The system processes applications across McDonald's vast franchise network - tens of thousands of locations, millions of applicants.

On June 30, 2025, security researchers Ian Carroll and Sam Curry disclosed two vulnerabilities that, combined, exposed the personal data of up to 64 million people who had applied for jobs through the platform.

The findings

Carroll and Curry described their investigation as "a cursory security review of a few hours." They were not conducting a months-long penetration test. They were poking around after Reddit users had been complaining about Olivia giving "nonsensical answers," and they decided to look at the system's security while they were at it.

The first issue was the admin credentials. The McHire administration interface - used by restaurant owners and managers to view applicant data and manage hiring workflows - accepted the username "123456" and the password "123456." These were default credentials on a test account that Paradox.ai had set up and then never removed. The account had not been logged into since 2019, according to Paradox.ai's own post-disclosure statement, and "frankly, should have been decommissioned."

Logging in with those credentials gave the researchers access to an administrative view of the McHire platform. But the second vulnerability was what turned a bad password into a mass data exposure.

The IDOR

An insecure direct object reference (IDOR) existed in an internal API endpoint. For anyone unfamiliar with the term: an IDOR is when an application lets a user access data by changing a predictable identifier in a request - changing an applicant ID from "12345" to "12346" to view someone else's record - without checking whether the user is authorized to view that record.

In McHire's case, the IDOR allowed the researchers to access any applicant's chat history with Olivia, along with the personal information collected during the application process. By manipulating the applicant ID parameter in API requests, they could pull records for applicants across the entire McDonald's system - not just the accounts associated with the test login.

Carroll summed it up on his blog: "We quickly realized this API allows us to access every chat interaction that has ever applied for a job at McDonald's."

The exposed data included names, email addresses, phone numbers, shift availability, and responses to personality assessment questions. The total number of potentially accessible records was approximately 64 million.

The disclosure and response

Carroll and Curry disclosed both issues to Paradox.ai and McDonald's simultaneously at 5:46 PM ET on June 30, 2025. Paradox.ai responded quickly, resolving the vulnerabilities within hours of the report according to their own account.

Paradox.ai's public response stated that the compromised test account "had not been logged into since 2019" and "was not accessed by any third party" other than the security researchers. The company confirmed that "at no point was candidate information leaked online or made publicly available." They also implemented new security measures including updated password requirements and API endpoint patches, and launched a bug bounty program to catch future issues.

McDonald's was blunter. The company released a statement saying it was "disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai."

Two routine bugs, one large number

Neither vulnerability was sophisticated. Default credentials and IDORs are among the most basic security flaws that exist. They appear in every introductory web security course. They are on every penetration testing checklist. OWASP lists broken access control as the number one web application security risk. The "password is 123456" problem is literally a running joke in the security community.

That these two specific bugs existed in a system handling 64 million records is not evidence of a complex attack or an exotic vulnerability. It is evidence that nobody ran a basic security review of the McHire platform at any point between 2019 (when the test account was last used) and 2025 (when Carroll and Curry found it). Six years of a default admin account sitting there, active and accessible, on a system that processes the personal data of millions of people.

The IDOR compounds the failure. Even if the test account had a strong password, any restaurant manager with legitimate admin access could have used the same API vulnerability to view applicant records from other locations. The authentication failure and the authorization failure were independent problems. Fixing one would not have fixed the other.

The vendor relationship question

McDonald's statement blaming Paradox.ai reflects a pattern in corporate security incidents where a third-party vendor operates the system and the client company positions itself as the victim. The framing is not wrong - Paradox.ai built and operated the vulnerable system. But McDonald's chose to deploy an AI hiring platform that processes personal data for millions of applicants across its franchise network. The vendor's security posture is, directly, McDonald's risk.

Paradox.ai serves a long list of major employers. McHire is one of the largest deployments, but the same platform and codebase presumably powers hiring chatbots for other clients. Whether those deployments shared the same vulnerable test account or IDOR-susceptible API endpoints was not addressed in any public statement.

The incident also highlighted the volume of data that AI hiring chatbots accumulate. Olivia does not just screen applicants and move on. Each conversation - including personal details, availability, assessment responses, and hiring status - is stored. Over years of operation across a franchise as large as McDonald's, that storage adds up to tens of millions of records. The data has no expiration. Records from years ago were accessible through the same API.

What the researchers found in a few hours

Carroll and Curry described their review as taking "a few hours." They were not state-sponsored threat actors with custom tooling. They were two security researchers who decided to poke at an AI chatbot during what appears to have been an afternoon of casual testing. That they found two critical vulnerabilities in that time frame says something about the state of the system's defenses.

Aditi Gupta, a senior manager at Black Duck, commented that "even sophisticated AI systems can be compromised by elementary security oversights." The observation is accurate, though McHire's vulnerabilities were not really about the AI system being compromised. The chatbot itself was not exploited. Olivia's conversational AI was not bypassed or manipulated through prompt injection. The failures were in the infrastructure around the chatbot: the admin interface and the API that stored and served the data Olivia collected.

This is a distinction worth making. The AI chatbot was working exactly as designed. It was collecting personal data, processing applications, and storing everything in a database. The problem was that the database was accessible to anyone who typed "123456" into a login form and then iterated through API endpoints. The AI was not the vulnerability. The AI was the data collection mechanism, and the vulnerability was in how carelessly that collected data was stored and protected.

Paradox.ai fixed the issues quickly and launched a bug bounty. McDonald's expressed disappointment. No evidence of third-party exploitation was found. The 64 million records appear to have been exposed only to Carroll and Curry, who disclosed responsibly. But for six years, anyone who tried the world's most common default credential on McHire's admin panel would have had the same access.