Experts discover vulnerability in McDonald’s AI-hiring tool, which exposed 64 million applicants’ data
In a shocking cybersecurity lapse, McDonald’s AI-powered hiring tool reportedly exposed the personal data of more than 64 million job applicants — all because it was secured with the world’s most infamous password: “123456”.
The vulnerability was discovered last month by security researchers who, out of curiosity, decided to probe the fast food giant’s recruitment chatbot after a Reddit thread highlighted how poorly it was responding to job seekers.
According to WIRED, they shared the details of the breach on Wednesday (9 July), and McDonald’s has also confirmed that they have patched the security risk.
Researcher gains access to personal data using default login credentials
Security expert Ian Carroll detailed the breach in a blog post, explaining that he was drawn to investigate McHire, McDonald’s AI recruitment system, after seeing a Reddit post about its chatbot, Olivia.
Source: Reddit
The Reddit post shared a frustrating interaction between a job applicant and the AI chatbot, with the bot giving nonsensical answers.
After just a few hours, he and fellow researcher Sam Curry stumbled upon a serious flaw — they could log in using default admin credentials, where both the username and password were simply “123456”.
This granted them full access to a database containing the private information of more than 64 million applicants, including names, email addresses, and phone numbers.
Breach reported, vulnerability fixed within hours
Upon discovering the flaw, the researchers immediately contacted Paradox.ai, the company behind McHire, and McDonald’s. The alert was sent on 30 June, prompting swift action.
Paradox.ai patched the vulnerability within hours, later confirming in a blog post that no unauthorised parties accessed the system, and that the only individuals who did were the two ethical researchers.
They also pledged to launch a bug bounty programme to catch such issues in future.
“We do not take this matter lightly, even though it was resolved swiftly and effectively,” they told WIRED. “We own this.”
Meanwhile, McDonald’s agreed that Paradox.ai were to blame.
“We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us,” the fast food chain said.
Also read: PDPC & Cyber Security Agency issue advisory against using NRIC numbers for authentication
PDPC & Cyber Security Agency issue advisory against using NRIC numbers for authentication
Have news you must share? Get in touch with us via email at news@mustsharenews.com.
Featured image adapted from Reddit and Africa Images on Canva. Left image is for illustration purposes only.
