Latest news with #McHire
Economic Times
12-07-2025
- Business
- Economic Times
McDonald's in hot water after AI tool with laughably weak password ‘123456' gets hacked, data of 64M job seekers exposed
McDonald's Faces Scrutiny After AI Hiring Tool Breach Exposes Data of 64 Million Applicants Live Events What Are Experts Saying About the Incident? Rapid Response by McDonald's and Could the Exposed Data Be Used for Attacks? FAQs (You can now subscribe to our (You can now subscribe to our Economic Times WhatsApp channel McDonald's is facing major scrutiny after a shocking security lapse exposed sensitive data from as many as 64 million job seekers, all because of a default admin password that was as weak as it gets: '123456,' as per a breach was discovered in late June by security researchers Ian Carroll and Sam Curry during a review of McHire, McDonald's AI-driven hiring platform, as per the CSO Online report. The tool, which uses an automated chatbot named Olivia to screen and engage applicants, had a hidden flaw that made it easy for anyone to access applicants' chat histories with the bot, according to the to Carroll, the team noticed a login option labeled 'Paradox team members' on McHire's admin interface, which led them to try using the default username and password combination '123456,' and they were immediately logged in, not only to a test environment but also to real administrative dashboards containing live data, as reported by CSO READ: AI is watching, layoffs are rising — inside the terrifying new era of office paranoia Carroll said, 'Although the app tries to force single sign-on (SSO) for McDonald's, there is a smaller link for 'Paradox team members' that caught our eye,' as quoted in the report. Carroll revealed that, 'Without much thought, we entered '123456' as the password and were surprised to see we were immediately logged in!,' as quoted in the they got inside, they found something even more troubling: that an internal API endpoint allowed access to fetch applicant data by using a predictable parameter, according to the report. This insecure direct object reference, or IDOR, meant they could view personal data of the applicant, chat transcripts with Olivia, names, email addresses, phone numbers, job application details, and even tokens that could let someone impersonate a candidate, as reported by CSO issue was discovered after Reddit users began complaining that Olivia was giving strange or nonsensical responses, which led the researchers to take a closer look, according to the report. However, the issue of Olivia was immediately resolved by McDonald's and (Olivia's creator) upon disclosure, reported CSO READ: Dogecoin and Shiba Inu skyrocket as meme coins explode during crypto market boom A senior manager for professional services consulting at Black Duck, Aditi Gupta, pointed out that, 'The McDonald's breach confirms that even sophisticated AI systems can be compromised by elementary security oversights,' and added, 'The rush to deploy new technology must not compromise basic security principles. Organizations must prioritize fundamental security measures to ensure uncompromised trust in their software, especially for the increasingly regulated, AI-powered world,' as quoted in the Effect's CEO Evan Dornbush highlighted that, 'This incident is a prime example of what happens when organizations deploy technology without an understanding of how it works or how it can be operated by untrusted users,' adding that, 'With AI systems handling millions of sensitive data points, organizations must invest in understanding and mitigating pre-emergent threats, or they'll find themselves playing catch-up, with their customers' trust on the line,' as quoted by the CSO Online after the disclosure on June 30, and McDonald's acknowledged the vulnerability quickly, and by July 1, default credentials were disabled and the endpoint was secured, according to the report. also said that it will conduct further security audits, reported CSO a Paradox staff member wrote on its website, 'We are confident that, based on our records, this test account was not accessed by any third party other than the security researchers,' and emphasised that 'at no point was candidate information leaked online or made publicly available. Five candidates in total had information viewed because of this incident, and it was only viewed by the security researchers. This incident impacted one organization — no other Paradox clients were impacted,' as quoted by the CSO Online the chief information security officer at Cequence Security, Randolph Barr warned that, 'Even though there's no indication the data has been used maliciously yet, the scale and sensitivity of the exposure could fuel targeted phishing, smishing/vishing, and even social engineering campaigns,' and added that, 'Combined with AI tooling, attackers could craft incredibly personalized and convincing threats,' as quoted by CSO chat logs, contact details, job application responses, shift preferences, personality test results, and impersonation tokens were used a publicly visible login labeled 'Paradox team members' and guessed the default password '123456,' which gave them immediate access.
Time of India
12-07-2025
- Business
- Time of India
McDonald's in hot water after AI tool with laughably weak password ‘123456' gets hacked, data of 64M job seekers exposed
McDonald's is facing major scrutiny after a shocking security lapse exposed sensitive data from as many as 64 million job seekers, all because of a default admin password that was as weak as it gets: '123456,' as per a report. McDonald's Faces Scrutiny After AI Hiring Tool Breach Exposes Data of 64 Million Applicants The breach was discovered in late June by security researchers Ian Carroll and Sam Curry during a review of McHire, McDonald's AI-driven hiring platform, as per the CSO Online report. The tool, which uses an automated chatbot named Olivia to screen and engage applicants, had a hidden flaw that made it easy for anyone to access applicants' chat histories with the bot, according to the report. According to Carroll, the team noticed a login option labeled 'Paradox team members' on McHire's admin interface, which led them to try using the default username and password combination '123456,' and they were immediately logged in, not only to a test environment but also to real administrative dashboards containing live data, as reported by CSO online. by Taboola by Taboola Sponsored Links Sponsored Links Promoted Links Promoted Links You May Like Join new Free to Play WWII MMO War Thunder War Thunder Play Now Undo ALSO READ: AI is watching, layoffs are rising — inside the terrifying new era of office paranoia Carroll said, 'Although the app tries to force single sign-on (SSO) for McDonald's, there is a smaller link for 'Paradox team members' that caught our eye,' as quoted in the report. Carroll revealed that, 'Without much thought, we entered '123456' as the password and were surprised to see we were immediately logged in!,' as quoted in the report. Live Events Once they got inside, they found something even more troubling: that an internal API endpoint allowed access to fetch applicant data by using a predictable parameter, according to the report. This insecure direct object reference, or IDOR, meant they could view personal data of the applicant, chat transcripts with Olivia, names, email addresses, phone numbers, job application details, and even tokens that could let someone impersonate a candidate, as reported by CSO Online. The issue was discovered after Reddit users began complaining that Olivia was giving strange or nonsensical responses, which led the researchers to take a closer look, according to the report. However, the issue of Olivia was immediately resolved by McDonald's and (Olivia's creator) upon disclosure, reported CSO Online. ALSO READ: Dogecoin and Shiba Inu skyrocket as meme coins explode during crypto market boom What Are Experts Saying About the Incident? A senior manager for professional services consulting at Black Duck, Aditi Gupta, pointed out that, 'The McDonald's breach confirms that even sophisticated AI systems can be compromised by elementary security oversights,' and added, 'The rush to deploy new technology must not compromise basic security principles. Organizations must prioritize fundamental security measures to ensure uncompromised trust in their software, especially for the increasingly regulated, AI-powered world,' as quoted in the report. Desired Effect's CEO Evan Dornbush highlighted that, 'This incident is a prime example of what happens when organizations deploy technology without an understanding of how it works or how it can be operated by untrusted users,' adding that, 'With AI systems handling millions of sensitive data points, organizations must invest in understanding and mitigating pre-emergent threats, or they'll find themselves playing catch-up, with their customers' trust on the line,' as quoted by the CSO Online report. Rapid Response by McDonald's and However, after the disclosure on June 30, and McDonald's acknowledged the vulnerability quickly, and by July 1, default credentials were disabled and the endpoint was secured, according to the report. also said that it will conduct further security audits, reported CSO Online. Later, a Paradox staff member wrote on its website, 'We are confident that, based on our records, this test account was not accessed by any third party other than the security researchers,' and emphasised that 'at no point was candidate information leaked online or made publicly available. Five candidates in total had information viewed because of this incident, and it was only viewed by the security researchers. This incident impacted one organization — no other Paradox clients were impacted,' as quoted by the CSO Online report. Could the Exposed Data Be Used for Attacks? While the chief information security officer at Cequence Security, Randolph Barr warned that, 'Even though there's no indication the data has been used maliciously yet, the scale and sensitivity of the exposure could fuel targeted phishing, smishing/vishing, and even social engineering campaigns,' and added that, 'Combined with AI tooling, attackers could craft incredibly personalized and convincing threats,' as quoted by CSO Online. FAQs What kind of data was exposed? Applicant chat logs, contact details, job application responses, shift preferences, personality test results, and impersonation tokens were accessible. How did the researchers access the system? They used a publicly visible login labeled 'Paradox team members' and guessed the default password '123456,' which gave them immediate access.
Yahoo
11-07-2025
- Business
- Yahoo
AI chatbot's simple ‘123456' password risked exposing personal data of millions of McDonald's job applicants
Security researchers found that they could access the personal information of 64 million people who had applied for a job at McDonald's, in large part by logging into the company's AI job hiring chatbot with the username and password '123456.' Ian Carroll and Sam Curry wrote in a blog post that 'during a cursory security review of a few hours,' they found the password issue and another simple security vulnerability in an internal API, which allowed access to job applicants' past conversations with the chatbot, called McHire, supplied to McDonald's by The personal data seen by the researchers included applicants' names, email addresses, home addresses, and phone numbers. wrote in a blog post that it resolved the issues 'within a few hours' after the researchers' report, and that 'at no point was candidate information leaked online or made publicly available.' The researchers' findings were first reported by Wired. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
TechCrunch
11-07-2025
- TechCrunch
AI chatbot's simple ‘123456' password risked exposing personal data of millions of McDonald's job applicants
In Brief Security researchers found that they could access the personal information of 64 million people who had applied for a job at McDonald's, in large part by logging into the company's AI job hiring chatbot with the username and password '123456.' Ian Carroll and Sam Curry wrote in a blog post that 'during a cursory security review of a few hours,' they found the password issue and another simple security vulnerability in an internal API, which allowed access to job applicants' past conversations with the chatbot, called McHire, supplied to McDonald's by The personal data seen by the researchers included applicants' names, email addresses, home addresses, and phone numbers. wrote in a blog post that it resolved the issues 'within a few hours' after the researchers' report, and that 'at no point was candidate information leaked online or made publicly available.' The researchers' findings were first reported by Wired.
Gizmodo
11-07-2025
- Gizmodo
Bug Hunters Gain Access to 64 Million McDonald's Job Applicants' Info by Using the Password ‘123456'
A recruitment platform used by McDonald's is alleged to have had such poor cybersecurity that researchers were able to log into it using a non-password and thus gain access to information on tens of millions of job applicants, including contact details and chat logs between the user and the restaurant's AI bot. The platform in question, called McHire, operates a chatbot, dubbed Olivia. Job applicants chat with Olivia, who, in an effort to decide whether they're worthy of flipping hamburgers or not, assesses them via a personality test. The bot was created by a company called Security researchers Sam Curry and Ian Carroll found that, using the username/password combination 123456/123456, they were able to log into the application, where they were given access to a treasure trove of information on job applicants. Indeed, Curry and Carroll were able to 'retrieve the personal data of more than 64 million applicants,' the researchers write. Their write-up is as hilarious as it is disturbing. The duo notes: 'Without much thought, we entered '123456' as the username and '123456' as the password and were surprised to see we were immediately logged in! It turned out we had become the administrator of a test restaurant inside the McHire system. The information included names, email addresses, phone numbers, addresses, the state where the job candidate lived, and the auth token they used to gain access to the website. Additionally, Curry and Carroll could see 'every chat interaction [from every person] that has ever applied for a job at McDonald's.' It's all pretty shameful stuff, although not particularly surprising. Cybersecurity has never been prioritized in the corporate world, which is why everything is getting hacked all the time. Many software programs are designed without any apparent concern for security at all. Still, the level of incompetence here is pretty damn bad and should be considered embarrassing for everyone involved. Curry and Carroll write that they disclosed the security problems to and McDonald's on June 30th. On the same day, the restaurant chain confirmed that the credentials in question were 'no longer usable to access the app.' On July 1st, communicated to the researchers that the issues had 'been resolved.' In a blog post, Paradox clarified what had happened: 'On June 30, two security researchers reached out to the Paradox team about a vulnerability on our system. We promptly investigated the issue and resolved it within a few hours of being notified.' The company went on to say: Using a legacy password, the researchers logged into a Paradox test account related to a single Paradox client instance. We've updated our password security standards since the account was created, but this test account's password was never updated. Once logged into the test account, the researchers identified an API endpoint vulnerability that allowed them to access information related to chat interactions in the affected client instance. Unfortunately, none of our penetration tests previously identified the issue. Gizmodo reached out to both companies for more information.
