Shocking Data Breach: 64 Million McDonald’s Job Seekers Impacted!
In a staggering revelation, over 64 million job applicants at McDonald’s in the United States may have fallen victim to a significant data leak. Cybersecurity experts have uncovered critical security flaws in McHire, the fast-food giant’s AI-driven hiring platform.
Unsecured Admin Access: A Recipe for Disaster
Security researchers Ian Carroll and Sam Curry revealed that the McHire administration panel, utilized by restaurant owners to oversee applications, permitted weak default login credentials—specifically the username “123456” paired with the password “123456”.
For context, McHire is the hiring platform powered by Paradox.ai, which is employed by 90% of McDonald’s franchisees. This chatbot-driven system features ‘Olivia’, a bot designed to gather applicant information, shift preferences, and conduct personality assessments during the job application process.
By exploiting these default credentials, the researchers accessed a test restaurant account and discovered they could view real-time chat interactions between Olivia and job applicants. They identified an Insecure Direct Object Reference (IDOR) vulnerability within an internal API that enabled anyone with a McHire account to access the personal data and chat histories of any applicant simply by altering a number in the API.
“In just a few hours of security assessment, we identified two critical vulnerabilities: the McHire admin interface allowed default credentials and an insecure direct object reference (IDOR) permitted access to any contacts and chats,” reported Carroll in a detailed blog post about the incident.
“These issues together enabled us—and potentially anyone with a McHire account—to retrieve the personal data of over 64 million applicants.”
In essence, by modifying the lead_id in a browser request—by increasing or decreasing a number—they could view personal details from other applicants across the platform. This included names, email addresses, phone numbers, home addresses, job application statuses, and even login tokens that could facilitate impersonation of the applicants within the system.
While applicants believed their interactions were secure, their conversations and sensitive data were unfortunately accessible to anyone who discovered the test login and manipulated the exposed API.
Swift Response and Mitigation Efforts
The security findings were disclosed to both Paradox.ai and McDonald’s on June 30, prompting immediate action. Within mere hours, the default credentials were deactivated, and both vulnerabilities were reportedly addressed by July 1.
“We are deeply disappointed by this unacceptable vulnerability from our third-party provider, Paradox.ai. Upon learning of the issue, we required Paradox.ai to rectify the situation immediately, and it was resolved the same day it was reported,” stated McDonald’s in response to the research findings.
Paradox.ai emphasized that most exposed chats did not contain sensitive information, asserting that no evidence of malicious access was found beyond the researchers’ activities. They maintained that only a limited number of sensitive records were accessed during testing.
“We want to clarify that while the researchers may have briefly accessed the system containing all chat interactions (NOT job applications), they only viewed and downloaded five chats total that contained candidate information. Importantly, at no point was any data leaked online or made public,” Paradox conveyed in a security update.
In addition to addressing this serious issue, Paradox has committed to implementing stricter security protocols, launching a new bug bounty program, and enhancing disclosure channels. Meanwhile, McDonald’s is reviewing its partnerships and pledging to strengthen oversight of its third-party providers to ensure stringent data protection standards are upheld.
