Personal data of McDonald's job applicants hacked thanks to incredibly easy-to-guess password

Cybersecurity is a serious issue for modern businesses. Hackers get more sophisticated in their approaches all the time, and AI has unfortunately given them more options for bypassing security measures and getting hold of precious data.

Sometimes the targets are passwords and credit card information, sometimes it’ll be unreleased video game code, sometimes it will be sensitive government information.

Ethical hackers exposed the security flaw in the Paradox.ai-built platform (Halfpoint Images/Getty Images)

No matter what’s being protected, companies must invest in and maintain robust, evolving security protocols that can give as much protection as possible. As has recently been seen with M&S’s security breach, attempts made to impersonate Marco Rubio, and the 2023 Cloudflare outage, financial backing and tech savviness aren’t always enough to keep the bad actors out.

Sometimes, security breaches can happen without hackers having to try very hard.

It seems that McDonald’s has fallen prey to one such mishap. The fast good giant’s AI-infused ‘McHire’ website mistakenly exposed tens of millions of jobseekers’ data thanks to security flaws in the system built by Paradox.ai.

Per Wired, the ‘Olivia’ chatbot that interacts with McHire.com users was vulnerable enough to hackers that accessing its records was ‘as straightforward as guessing the username and password '123456’’.

The vulnerability has affected as many as 64 million jobseekers’ records, with exposed data including names, email addresses and phone numbers.

Independent security researchers Ian Carroll and Sam Curry raised the alarm to the public, with Carroll telling Wired that they had been particularly interested in examining McHire over its ‘uniquely dystopian’ hiring methodology.

"So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years," he explained.

Wired approached the Paradox.ai legal officer, Stephanie King, who said: "We do not take this matter lightly, even though it was resolved swiftly and effectively.”

King added: "We own this."

McDonald’s itself issued a statement too, which said: "We're disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai.

“As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us."

McDonald's and Paradox.ai worked quickly to resolve the security issues (Ceri Breeze/Getty Images)

While it’s Paradox.ai dodging that bus’s wheels, this breach’s attachment to McDonald’s could live long in the memory.

With customers being more concerned about data protection than ever before, it’s no secret that this kind of issue can have big implications for brand reputation.

FOODBible has approached McDonald’s for comment.