Why trust Greenbot
Security researchers were able to crack McDonald’s artificial intelligence (AI) hiring system in 30 minutes using one of the world’s most common passwords, exposing personal details of millions of fast-food job seekers worldwide.
On Wednesday, Ian Carroll and Sam Curry discovered the massive security breach after guessing administrator credentials on the McHire platform. The system, powered by AI chatbot “Olivia,” processes applications for 90% of McDonald’s franchises globally.
“I just thought it was pretty uniquely dystopian compared to a normal hiring process,” Carroll told WIRED. “So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years.”
The researchers accessed the backend using “123456” as both username and password. They found a forgotten test account from 2019 that Paradox.ai, the software company behind McHire, had never deactivated.
Personal information at risk included names, email addresses, phone numbers, and chat logs with the AI bot. The system also stored personality test results that revealed intimate details about applicants’ work habits and personal traits.
Carroll described the discovery as walking “into an unlocked vault.” The vulnerability allowed anyone to view applicant records by simply changing ID numbers in the system’s web address.
This data exposure creates serious risks for job seekers. Criminals could use the information for phishing scams, posing as McDonald’s recruiters to steal financial details for fake direct deposit setups.
“Had someone exploited this, the phishing risk would have actually been massive,” researcher Sam Curry warned. “It’s that information for people who are looking for a job at McDonald’s, people who are eager and waiting for emails back.”
McDonald’s Australia, which hires over 11,000 workers annually, confirmed thousands of local applicants were affected. The company blamed Paradox.ai for the “unacceptable vulnerability.”
“We’re disappointed by this unacceptable vulnerability from a third-party provider,” a McDonald’s Australia spokesperson said. “As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us.”
Paradox.ai acknowledged the breach in a public blog post. Chief Legal Officer Stephanie King said the company takes full responsibility.
“We do not take this matter lightly, even though it was resolved swiftly and effectively,” King told WIRED. “We own this.”
The platform was fixed within hours of the researchers’ report in July 2025. Paradox.ai confirmed that no malicious actors accessed the data before the patch.
The breach affects people already struggling in the job market. Many McDonald’s applicants are young workers or those seeking entry-level positions who may be more susceptible to recruitment scams.
Beyond fraud risks, the exposure could embarrass applicants. Chat logs revealed personal struggles and motivations shared with the AI during the application process.
The incident occurred as more companies adopt AI for hiring. Similar systems are used by Australian retailers Bunnings and Woolworths, raising questions about security across automated recruitment platforms.
Paradox.ai announced a bug bounty program to catch future vulnerabilities. The company emphasized that researchers only accessed seven records total, with five containing personal information.
Security experts warn that the breach demonstrates how rushed AI adoption often neglects basic cybersecurity measures. The failure involved elementary mistakes like default passwords and missing access controls that should never occur in systems handling sensitive data.
