{"id":251743,"date":"2025-07-09T21:11:12","date_gmt":"2025-07-09T21:11:12","guid":{"rendered":"https:\/\/www.europesays.com\/uk\/251743\/"},"modified":"2025-07-09T21:11:12","modified_gmt":"2025-07-09T21:11:12","slug":"mcdonalds-ai-hiring-bot-exposed-millions-of-applicants-data-to-hackers-using-the-password-123456","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/uk\/251743\/","title":{"rendered":"McDonald\u2019s AI Hiring Bot Exposed Millions of Applicants&#8217; Data to Hackers Using the Password \u2018123456\u2019"},"content":{"rendered":"<p>If you want a job at McDonald\u2019s today, there\u2019s a good chance you&#8217;ll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an <a href=\"https:\/\/www.wired.com\/story\/couples-retreat-with-3-ai-chatbots-and-humans-who-love-them-replika-nomi-chatgpt\/\" target=\"_blank\" rel=\"noopener\">AI chatbot<\/a> that screens applicants, asks for their contact information and r\u00e9sum\u00e9, directs them to a personality test, and occasionally makes them \u201c<a data-offer-url=\"https:\/\/www.reddit.com\/r\/mildlyinfuriating\/comments\/1lo9s75\/mcdonalds_hiring_ai_is_making_me_go_insane\/\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/www.reddit.com\/r\/mildlyinfuriating\/comments\/1lo9s75\/mcdonalds_hiring_ai_is_making_me_go_insane\/&quot;}\" href=\"https:\/\/www.reddit.com\/r\/mildlyinfuriating\/comments\/1lo9s75\/mcdonalds_hiring_ai_is_making_me_go_insane\/\" rel=\"nofollow noopener\" target=\"_blank\">go insane<\/a>\u201d by repeatedly misunderstanding their most basic questions.<\/p>\n<p class=\"paywall\">Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald&#8217;s applicants\u2014including all the personal information they shared in those conversations\u2014with tricks as straightforward as guessing the username and password \u201c123456.&#8221;<\/p>\n<p class=\"paywall\">On Wednesday, security researchers Ian Carroll and Sam Curry <a data-offer-url=\"https:\/\/ian.sh\/mcdonalds\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/ian.sh\/mcdonalds&quot;}\" href=\"https:\/\/ian.sh\/mcdonalds\" rel=\"nofollow noopener\" target=\"_blank\">revealed<\/a> that they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald&#8217;s website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with a <a href=\"https:\/\/www.wired.com\/story\/saflok-hotel-lock-unsaflok-hack-technique\/\" target=\"_blank\" rel=\"noopener\">long<\/a> <a data-offer-url=\"https:\/\/ian.sh\/tsa\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/ian.sh\/tsa&quot;}\" href=\"https:\/\/ian.sh\/tsa\" rel=\"nofollow noopener\" target=\"_blank\">track<\/a> <a href=\"https:\/\/www.wired.com\/story\/kia-web-vulnerability-vehicle-hack-track\/\" target=\"_blank\" rel=\"noopener\">record<\/a> of independent security testing, discovered that simple web-based vulnerabilities\u2014including guessing one laughably weak password\u2014allowed them to access a Paradox.ai account and query the company&#8217;s databases that held every McHire user&#8217;s chats with Olivia. The data appears to include as many as 64 million records, including applicants&#8217; names, email addresses, and phone numbers.<\/p>\n<p class=\"paywall\">Carroll says he only discovered that appalling lack of security around applicants&#8217; information because he was intrigued by McDonald&#8217;s decision to subject potential new hires to an AI chatbot screener and personality test. \u201cI just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that&#8217;s what made me want to look into it more,\u201d says Carroll. \u201cSo I started applying for a job, and then after 30 minutes, we had full access to virtually every application that&#8217;s ever been made to McDonald&#8217;s going back years.\u201d<\/p>\n<p class=\"paywall\">When WIRED reached out to McDonald\u2019s and Paradox.ai for comment, a spokesperson for Paradox.ai shared a <a data-offer-url=\"https:\/\/www.paradox.ai\/white-hat-security-researcher\" class=\"external-link\" data-event-click=\"{&quot;element&quot;:&quot;ExternalLink&quot;,&quot;outgoingURL&quot;:&quot;https:\/\/www.paradox.ai\/white-hat-security-researcher&quot;}\" href=\"https:\/\/www.paradox.ai\/white-hat-security-researcher\" rel=\"nofollow noopener\" target=\"_blank\">blog post<\/a> the company planned to publish that confirmed Carroll and Curry\u2019s findings. The company noted that only a fraction of the records Carroll and Curry accessed contained personal information, and said it had verified that the account with the \u201c123456\u201d password that exposed the information \u201cwas not accessed by any third party\u201d other than the researchers. The company also added that it\u2019s instituting a bug bounty program to better catch security vulnerabilities in the future. \u201cWe do not take this matter lightly, even though it was resolved swiftly and effectively,\u201d Paradox.ai\u2019s chief legal officer, Stephanie King, told WIRED in an interview. \u201cWe own this.\u201d<\/p>\n<p class=\"paywall\">In its own statement to WIRED, McDonald\u2019s agreed that Paradox.ai was to blame. \u201cWe\u2019re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us,\u201d the statement reads. \u201cWe take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"If you want a job at McDonald\u2019s today, there\u2019s a good chance you&#8217;ll have to talk to Olivia.&hellip;\n","protected":false},"author":2,"featured_media":251744,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3163],"tags":[323,1942,3457,35529,6512,811,53,16,15],"class_list":{"0":"post-251743","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-ai","9":"tag-artificial-intelligence","10":"tag-cybersecurity","11":"tag-mcdonalds","12":"tag-privacy","13":"tag-security","14":"tag-technology","15":"tag-uk","16":"tag-united-kingdom"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@uk\/114825336108150462","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts\/251743","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/comments?post=251743"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts\/251743\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/media\/251744"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/media?parent=251743"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/categories?post=251743"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/tags?post=251743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}