A security vulnerability has been discovered in McDonald's AI-powered hiring chatbot, potentially exposing the personal data of millions of job applicants. Researchers found that the McHire platform, used by over 90% of McDonald's franchises, had a glaring security flaw: a default password of '123456' granted access to the backend system. This oversight allowed access to an estimated 64 million records, including names, email addresses, phone numbers, and other sensitive information.
The researchers, Ian Carroll and Sam Curry, initially investigated the chatbot, named Olivia, after Reddit users criticised its functionality. They found that by using the easily guessed password, they could access a test restaurant within the McHire system and view applicant data. The exposed data could be exploited for phishing scams, with malicious actors impersonating recruiters.
Paradox.ai, the company behind the chatbot, has acknowledged the breach and stated that the vulnerability was quickly resolved. McDonald's has expressed disappointment and is holding Paradox.ai accountable for meeting data protection standards. The incident highlights the critical need for robust security measures when using AI in handling sensitive personal data.