McDonald’s Data Breach Exposes 60 Million Job Applicants Through AI Chatbot Vulnerability in Hiring Platform
McDonald’s hiring portal suffered a data breach exposing over 60 million applicants’ details due to a vulnerability in its chatbot, managed by third-party AI firm Paradox.ai.
Tech Author
McDonald's recently had a major security breach when a flaw in its hiring platform, McHire, exposed the personal information of more than 60 million job seekers at risk.The breach happened because of McHire's chatbot "Olivia," which gathers information about applicants, like their resumes and personal information, before sending them to a personality test.
A U.S.-based company called Paradox.ai runs the chatbot. Security researchers Ian Carroll and Sam Curry found the flaw while looking into reports on Reddit about the bot acting strangely. They thought the system might be open to "prompt injection," a method that uses specific prompts to change AI models so they leak private information. That didn't work, but the researchers found a login page meant for Paradox team members. They were shocked that they could get in by just typing in "123456" as both their username and password, with no need for two-factor authentication. From there, they could see sensitive data of anyone who had talked to the Olivia bot over the years without any masking.
Carroll said he became curious after seeing a “personality test” in the McDonald’s job application, which he found unusual.That curiosity led him to explore the system, and within 30 minutes, he and Curry had access to years’ worth of job applications.
Once they were told, Paradox.ai admitted that the breach came from a forgotten test account and confirmed that only the two researchers had access to it. The account was taken down quickly. McDonald's said they were disappointed with the third-party provider and confirmed that the problem was fixed the same day.
The event shows how risky it is to use AI tools in sensitive systems, especially when they're managed by other parties. There were no reports of malicious exploitation, but this is a serious wake-up call about how to protect your data when you hire someone.
This article is based on information from The Indian Express
