AI Chatbot’s Weak ‘123456’ Password Put Millions of McDonald’s Job Applicants’ Data at Risk

Jul 14, 2025

Security researchers uncovered a significant vulnerability in McDonald’s AI hiring chatbot, McHire, that exposed personal information of around 64 million job applicants.

How the Vulnerability Occurred

During a brief security review, researchers Ian Carroll and Sam Curry found that logging into McHire using the simple username and password “123456” granted access to sensitive applicant data. Additionally, an internal API flaw allowed access to applicants’ past conversations with the chatbot. McHire is supplied to McDonald’s by Paradox.ai.

The exposed data included applicants’ names, email addresses, home addresses, and phone numbers—a serious privacy concern. Paradox.ai responded promptly, fixing the issues within a few hours of being notified, and confirmed no candidate data was leaked publicly.

What The Author Thinks

This incident highlights a fundamental truth—no matter how advanced AI technology becomes, neglecting basic cybersecurity protocols can lead to massive breaches. Companies integrating AI into sensitive areas like hiring must prioritize strong security practices to protect personal data and maintain user trust.

Featured image credit: Wikimedia Commons

