Skip to content

McDonald’s AI bot leaks job applicants’ data

  • by
  • 2 min read

A hiring AI bot used by McDonald’s, dubbed McHire, was found vulnerable to leaking job applicant data, potentially risking the personal information of nearly 64 million applicants. The bot is used to automate the initial stages of hiring at the food chain and is used by a majority of McDonald’s franchises.

Developed by Paradox.ai, the bot screens applicants, asks for their contact information and resume, and then directs them to a personality test. Reportedly, the bot has issues where it fails to understand or answer questions that fall outside its scope, but it also suffers from basic security flaws.

Security researchers Ian Carroll and Sam Curry were testing out the tool when they noticed a login link for Paradox members. This link required a username and password to access the backend of the tool that shows the information and application status of some 64 million job applicants.

This is an image of data breach featured cybersecurity 113 e1666861228304

According to Ian Carroll’s explainer, they were able to access an administrator account of a test restaurant inside the McHire system by using “123456” as the username and password. During further testing, the researchers found an API that fetched the candidate information. Playing around with a “lead_id” variable present in the API request revealed personally identifiable information (PII) for another employee. This information includes:

  • Name, email address, phone number, and physical address.
  • Candidacy state and form inputs that the candidate had submitted.
  • An auth token that could be used to log in to McHire’s public-facing UI as said user.

Carroll and Curry sampled a small set of applicant data and verified it by contacting these applicants. They were able to confirm that the applicants did indeed apply to McDonald’s for a job, and the leaked data was genuine.

The issue was reported to McDonald’s and Paradox on June 30, and McDonald’s confirmed its receipt and asked for further technical details the same day. The credentials were discarded, and Paradox AI later confirmed that the issue was resolved. At the time of writing, there’s no evidence to suggest that hackers ever gained access to the backend or API.

In the News: US sanctions North Korean hacker for running fraud IT worker scheme

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>