Security researchers have uncovered a weakness in the McDonald’s recruitment platform McHire, potentially exposing the personal information of over 64 million job applicants.
Researchers discovered that the platform’s chatbot, operated by HR tech firm Paradox.ai, used default login credentials on a test account and failed to secure an API endpoint. This gave the researchers access to sensitive data, including names, addresses, contact details, and interview chat logs of applicants across the McHire system.
“During a cursory security review of a few hours, we identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted. Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants,” the researchers explained.
The security issue was disclosed to Paradox.ai and McDonald’s on June 30. The default credentials were revoked immediately, and both vulnerabilities were patched by July 1.
Paradox.ai confirmed the issue in a public statement, noting that the test account had not been accessed since 2019 and that the breach affected only a single client instance. The company emphasized that Social Security numbers were not exposed and that only five candidate records were accessed during the investigation.