Latest news with #SamCurry
Forbes
5 hours ago
- Business
- Forbes
McDonald's AI Breach Reveals The Dark Side Of Automated Recruitment
Millions of McDonald's job applicants had their personal data exposed after basic security failures ... More left the company's AI hiring system wide open. If you've ever wondered what could go wrong with an AI-powered hiring system, McDonald's just served up a cautionary tale. This week, security researchers revealed that the company's McHire website—a recruitment platform used by over 90% of McDonald's franchisees—left the personal information of millions of job applicants exposed to anyone with a browser and a little curiosity. The culprit: Olivia, an AI chatbot from designed to handle job applications, collect personal information, and even conduct personality tests. On paper, it's a vision of modern efficiency. In reality, the system was wide open due to security flaws so basic they'd be comical if the consequences weren't so serious. What Went Wrong? It didn't take a sophisticated hacker to find the holes. Researchers Ian Carroll and Sam Curry started investigating after Reddit users complained that Olivia gave nonsensical responses during the application process. After failing to find more complex vulnerabilities, the pair simply tried logging into the site's backend using '123456' for both the username and password. In less than half an hour, they had access to nearly every applicant's personal data—names, email addresses, phone numbers, and complete chat histories—with no multifactor authentication required. Worse still, the researchers discovered that anyone could access records just by tweaking the ID numbers in the URL, exposing over 64 million unique applicant profiles. One compromised account had not even been used since 2019, yet remained active and linked to live data. As Carroll told Wired, 'I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more.' Why Security Fundamentals Still Matter Experts agree that the real shock isn't the technology itself—it's the lack of security basics that made the breach possible. As Aditi Gupta of Black Duck noted, the McDonald's incident was less a case of advanced hacking and more a 'series of critical failures,' ranging from unchanged default credentials and inactive accounts left open for years, to missing access controls and weak monitoring. The result: an old admin account that hadn't been touched since 2019 was all it took to unlock a massive trove of personal data. For many in the industry, this raises bigger questions. Randolph Barr, CISO at Cequence Security, points out that the use of weak, guessable credentials like '123456' in a live production system is not just a technical slip—it signals deeper problems with security culture and governance. When basic measures like credential management, access controls, and even multi-factor authentication are missing, the entire security posture comes into question. If a security professional can spot these flaws in minutes, Barr says, 'bad actors absolutely will—and they'll be encouraged to dig deeper for other easy wins.' And this isn't just about AI or McDonald's. Security missteps of this kind tend to follow each new 'game-changing' technology. As PointGuard AI's William Leichter observes, organizations often rush to deploy the latest tools, driven by hype and immediate gains, while seasoned security professionals get sidelined. It happened with cloud, and now, he says, 'it's AI's turn: tools are being rolled out hastily, with immature controls and sloppy practices.' Automation and the Illusion of Security McDonald's isn't alone in betting big on AI to speed up hiring and make life easier for franchisees and HR teams. Automated chatbots like Olivia are supposed to streamline applications, assess candidates, and remove human bottlenecks. But as this incident shows, convenience can't come at the expense of basic digital hygiene. Simple safeguards—unique credentials, robust authentication, and proper access controls—were missing entirely. The rush to digitize and automate HR brings with it a false sense of security. When sensitive data is managed by machines, it's easy to assume the system is secure. But technology is only as strong as the practices behind it. Lessons for the Future If there's a lesson here, it's that technology should never substitute for common sense. Automated hiring systems, especially those powered by AI, are only as secure as the most basic controls. The ease with which researchers accessed the McHire backend shows that old problems—default passwords, missing MFA—are still some of the biggest threats, even in the age of chatbots. Companies embracing automation need to build security into the foundations, not as an afterthought. And applicants should remember that behind every 'friendly' AI bot is a company making choices about how to protect—or neglect—their privacy. The Price of Convenience The McDonald's McHire data leak is a warning to every company automating hiring, and to every job seeker trusting a bot with their future. Technology can streamline the process, but it should never circumvent or subvert security. The real world isn't as neat as a chatbot's conversation tree. If we aren't careful, the push for convenience will keep putting real people at risk.
Forbes
a day ago
- Business
- Forbes
McDonald's ‘123456' Password Scare Reframes Responsible AI Debate
A security flaw on the McHire platform jeopardized 64 million applicants' data. Set aside aspirational AI rhetoric, alarmist consultant pitches and techno-babble. AI success requires candor about incentives, incompetence and indifference. McDonald's learned that harsh lesson (in a relatively costless way) when two security researchers used '123456' as the username and password to astonishingly fully access the Golden Arches hiring platform — and over 64 million applicants' personal data. The noble cyber sleuths, Ian Carroll and Sam Curry, reported the flaw to McDonald's and its AI vendor, Paradox, for swift technical resolution. If nefarious actors found the lax vulnerability, McDonald's leadership would be mired in a costly, public crisis. So, will the fast-food goliath learn from this 'near-miss' to improve tech governance? Will others tap this averted disaster for overdue responsible AI introspection and action? It depends. Widespread and hushed AI deployment problems need thornier fixes than many boards and senior executives will acknowledge, admit or address. Super-sized opportunities Workplace crises can be proactively prevented (or eventually explained) by tackling incentives, incompetence and indifference with stewardship, capability and care. The Golden Arches 'near miss' exemplifies that and the timing couldn't be better. While 88% of executives surveyed by PwC expect agentic AI spending increases this year, many struggle to articulate how AI will drive competitive advantage. Nearly 70% indicated that still half or fewer of their workforce interacts with agents daily. Indiscriminately 'throwing money' at issues can create more problems than it solves. Here's a better start. Dissect incentives. Talent, culture and bureaucratic entrenchment stymie big firms desperate to innovate. Nimble, bootstrapped startups tantalizingly fill those voids, but crave revenue and reputation. Stalled AI implementations only fuel that magnetism. Typically, the larger organization the makes headlines when deals falter. How many leadership teams meaningfully assess third-party risk from an incentives perspective? Or do expedited results more strongly appeal to their own compensation and prestige hunger? Is anyone seriously assessing which party has more (or less) to lose? Nearly 95% of McDonald's 43,000 restaurants are franchised. With over 2 million workers and aggressive growth aims, automating job applications is a logical AI efficiency move. Its selected vendor, whose tagline boasts 'meet the AI assistant for all things hiring' seemed like a natural partner. At what hidden costs? Successful strategic alliances require an 'outside-in' look at a counterparty's interests. Three of the seven-member Paradox board are private equity partners, including chair Mike Gregoire. In Startups Declassified, acclaimed business school professor and tech thought leader Steve Andriole emphasizes flagship revenue's valuation criticality, 'There's no more important start-up activity than sales — especially important are the 'lighthouse' customers willing to testify to the power and greatness of products and services. Logo power is [vital] to start-ups.' 'Remember that no one wants to buy start-ups unless the company has killer intellectual property or lists of recurring customers. Profitable recurring revenue is nirvana. Exits occur when a start-up becomes empirically successful,' he continued. Assess skill and will. Despite its global presence, digital strategy imperatives and daily transaction volume, the 2025 McDonald's proxy reveals three common AI-era oversight shortfalls: inadequate boardroom cyber expertise, no technology committee and cybersecurity relegated to audit oversight. Those are serious signaling problems. In fact, the word 'cybersecurity' only appears nine times across the 100-page filing. In the director qualifications section, information technology is grouped with cybersecurity and vaguely defined 'contributes to an understanding of information technology capabilities, cloud computing, scalable data analytics and risks associated with cybersecurity matters.' Just four of the eleven directors are tagged as such. While three of those four worked in the tech sector, none has any credible IT or cybersecurity expertise. Intriguingly, not one of the four, board member and former Deloitte CEO Cathy Engelbert has the best experience to push stronger governance. Is she, now the prominent WNBA league commissioner, willing to take such contentious risk? To start, she can tap longtime McDonald's CFO Ian Borden and auditors EY for guidance and ideas on bolstering board composition. Nearly 95% of McDonald's 43,000 restaurants worldwide are franchised. When tech issues arise, fingers, by default, point at the IT team. However, responsible AI design and deployment truly require cross-functional leadership commitment. McDonald's CEO Chris Kempczinski routinely touts a 4D strategy (digital, delivery, drive-thru and development) and characterizes the fast-food frontrunner's tech edge as 'unmatched.' That bravado brings massive expectations and he can't be happy with the '123456' password distraction. With annual compensation approaching $20 million annually, he also has a responsible AI obligation to current and future McDonald's workers making, on average, 1,014 times less — as well as the 40,000 franchisees. Valerie Ashbaugh, McDonald's commercial products and platform SVP, rotates into the US CIO seat next month. The timing is ideal to institute policies, procedures and accountability for stronger third-party IT access controls. Alan Robertson, UK ambassador to the Global Council for Responsible AI, astutely notes, 'The damage is done — not by hackers, but by sheer negligence. McDonald's has pinned the issue on Paradox. Paradox says they fixed it and have since launched a bug bounty program. It raises bigger questions for all of us. Who audits the third-party vendors we automate hiring with? Where does the liability sit when trust is breached at this scale? And what does 'responsible AI' even mean when basic cybersecurity hygiene isn't in place? We talk about ethics — but sometimes it's just about setting a password.' That's prototypical indifference — especially when the access key is "123456." Likewise, HR leaders have a chance to meaningfully shape AI rollouts. 'HR needs to resist the urge to 'just go along.' There will be many HR leaders who simply wait for the various software lines they current license to add AI functionality. To do so would be a mistake. AI will become a critical part of the employee experience and HR should have a hand in that,' advises AthenaOnline SVP of customer solutions Mark Jesty. At McDonald's, EVP and global chief people officer Tiffanie Boyd holds that golden opportunity to elevate responsible AI on the board and c-suite agendas. Will she? Responsibility knocks The McHire 'near-miss' highlights how boards and c-suites can remain dangerously unprepared for AI design, deployment and oversight. Strategy speed and tech wizardry must never be at stewardship's cost. "If you're deploying AI without basic security hygiene, you're not innovating. You're endangering people. Security is not optional,' implores CEO Ivan Rahman. Who's opting for drive-thru AI governance?
Yahoo
4 days ago
- Business
- Yahoo
AI chatbot's simple ‘123456' password risked exposing personal data of millions of McDonald's job applicants
Security researchers found that they could access the personal information of 64 million people who had applied for a job at McDonald's, in large part by logging into the company's AI job hiring chatbot with the username and password '123456.' Ian Carroll and Sam Curry wrote in a blog post that 'during a cursory security review of a few hours,' they found the password issue and another simple security vulnerability in an internal API, which allowed access to job applicants' past conversations with the chatbot, called McHire, supplied to McDonald's by The personal data seen by the researchers included applicants' names, email addresses, home addresses, and phone numbers. wrote in a blog post that it resolved the issues 'within a few hours' after the researchers' report, and that 'at no point was candidate information leaked online or made publicly available.' The researchers' findings were first reported by Wired. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Gizmodo
4 days ago
- Gizmodo
Bug Hunters Gain Access to 64 Million McDonald's Job Applicants' Info by Using the Password ‘123456'
A recruitment platform used by McDonald's is alleged to have had such poor cybersecurity that researchers were able to log into it using a non-password and thus gain access to information on tens of millions of job applicants, including contact details and chat logs between the user and the restaurant's AI bot. The platform in question, called McHire, operates a chatbot, dubbed Olivia. Job applicants chat with Olivia, who, in an effort to decide whether they're worthy of flipping hamburgers or not, assesses them via a personality test. The bot was created by a company called Security researchers Sam Curry and Ian Carroll found that, using the username/password combination 123456/123456, they were able to log into the application, where they were given access to a treasure trove of information on job applicants. Indeed, Curry and Carroll were able to 'retrieve the personal data of more than 64 million applicants,' the researchers write. Their write-up is as hilarious as it is disturbing. The duo notes: 'Without much thought, we entered '123456' as the username and '123456' as the password and were surprised to see we were immediately logged in! It turned out we had become the administrator of a test restaurant inside the McHire system. The information included names, email addresses, phone numbers, addresses, the state where the job candidate lived, and the auth token they used to gain access to the website. Additionally, Curry and Carroll could see 'every chat interaction [from every person] that has ever applied for a job at McDonald's.' It's all pretty shameful stuff, although not particularly surprising. Cybersecurity has never been prioritized in the corporate world, which is why everything is getting hacked all the time. Many software programs are designed without any apparent concern for security at all. Still, the level of incompetence here is pretty damn bad and should be considered embarrassing for everyone involved. Curry and Carroll write that they disclosed the security problems to and McDonald's on June 30th. On the same day, the restaurant chain confirmed that the credentials in question were 'no longer usable to access the app.' On July 1st, communicated to the researchers that the issues had 'been resolved.' In a blog post, Paradox clarified what had happened: 'On June 30, two security researchers reached out to the Paradox team about a vulnerability on our system. We promptly investigated the issue and resolved it within a few hours of being notified.' The company went on to say: Using a legacy password, the researchers logged into a Paradox test account related to a single Paradox client instance. We've updated our password security standards since the account was created, but this test account's password was never updated. Once logged into the test account, the researchers identified an API endpoint vulnerability that allowed them to access information related to chat interactions in the affected client instance. Unfortunately, none of our penetration tests previously identified the issue. Gizmodo reached out to both companies for more information.
The Verge
6 days ago
- The Verge
McDonald's AI recruiting tool had a super-sized security flaw.
McDonald's AI recruiting tool had a super-sized security flaw. Security researchers Ian Carroll and Sam Curry broke into the backend of McDonald's hiring system by entering the username and password '123456,' as reported by Wired. They were then able to view the data of the more than 64 million applicants who interacted with McDonald's AI hiring bot, Olivia.
