McDonald's 'McHire' chatbot records accessed via '123456' password

McDonald’s “McHire” job application service was accessed by researchers last month using the password “123456,” potentially exposing more than 64 million records.

Applicants’ conversations with the McDonald’s “Olivia” hiring chatbot were viewable from a test account accessed by security researchers Ian Carroll and Sam Curry, who published their findings on Carroll’s blog this week.

“This incident is a stark reminder that when companies rush to deploy AI in customer-facing workflows without proper oversight, they expose themselves, and millions of users, to unnecessary risk,” Kobi Nissan, co-founder and CEO of MineOS, told SC Media. “The issue here isn’t the AI itself, but the lack of basic security hygiene and governance around it.”

The Olivia chatbot was built by Paradox.ai, which took responsibility for the issue in a security update Wednesday, saying a legacy password for the test account and an API endpoint vulnerability exposed “information related to chat interactions.”

The researchers initially accessed the test account from a log in page labeled for “Paradox team members” that was linked on the McHire website for restaurant owners, according to the blog post. They successfully logged in by guessing the username and password, which were both “123456.”

“What stands out most is that the widely known OWASP Top 10 issue – the use of weak, guessable credentials (123456) – was allowed in a production system with no multifactor authentication (MFA). That’s not just a technical oversight; it reflects a broader weakness in the security program itself,” Cequence Security CISO Randolph Barr commented in an email to SC Media.

The test account granted Carroll and Curry access to a test restaurant that could view all conversations between Olivia and job applicants for that restaurant. They soon found that they could change the “lead_id” parameter for XHR requests from the API responsible for fetching candidate information, revealing information about other applicants from different McDonald’s restaurants.

Based on the lead_id for their test applicant, which was 64,185,742, the researchers estimated more than 64 million records could be accessed by decrementing this number in API requests.

Some of the information discovered included applicant names, email addresses, phone numbers, addresses, candidacy states, application form inputs and authentication tokens to log in as the applicant, Carroll and Curry wrote. Logging into these accounts could potentially leak additional chatbot messages and other information, the researchers noted.

Paradox.ai stated that most of the chat interaction records exposed did not include personal information, and that only five of the records pulled by the researchers included names, email addresses, phone numbers and IP addresses. Additionally, the company said no sensitive information, such as Social Security numbers, were exposed.

“[…] we are confident that, based on our records, this test account was not accessed by any third party other than the security researchers. It had not been logged into since 2019 and frankly, should have been decommissioned,” Paradox.ai stated.

SC Media reached out to McDonald’s and Paradox.ai for additional information, and did not receive a response. However, McDonald’s said in a statement to Wired: “We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us.”

Paradox.ai said both the weak password and API endpoint vulnerability have now been resolved and that it will be launching a new bug bounty program as well as more accessible contact for its security team, among other security initiatives. McDonald’s stated it would continue to hold its third-party providers to its data protection standards, according to Wired.

“The rush to deploy new technology must not compromise basic security principles. Organizations must prioritize fundamental security measures to ensure uncompromised trust in their software especially for the increasingly regulated, AI-powered world,” Aditi Gupta, senior manager of professional services consulting at Black Duck, told SC Media in an email.

The use of valid credentials, such as weak or stolen passwords, was involved in nearly a third of cyber intrusions in 2024, according to the IBM X-Force 2025 Threat Intelligence Index, tying with exploitation of public-facing applications as the most common initial access vector.

Additionally, a 2023 report by Outpost24 found that “123456” was the second weakest password, based on an analysis of admin portal credentials found in infostealer records. The No. 1 weakest password was “admin,” which was found more than 40,000 times in the 1.8 million credentials analyzed.