Cybersecurity researchers were able to access the personal information of tens of millions of McDonald’s job applicants after gaining unauthorized entry to the “McHire” site. The AI hiring platform was using the default login credentials with the username “admin” and password “123456” for a staff admin login, which the ethical hackers were then able to guess.

The AI chatbot, called Olivia, was created for McDonald’s by software company Paradox.ai. It’s used by up to 90% of franchisees in the US, Canada, the UK, and Ireland to automate the screening process. As such, it asks for highly personal information, such as job-seekers’ resumes, personality test results, and more.

Some of the records that the researchers, Ian Carroll and Sam Curry, were able to get their hands on include:

  • Names
  • Emails
  • Phone numbers
  • IP addresses
  • Home addresses
  • McHire chat histories and personality test results

While no financial information or social security numbers were directly exposed, the available data is more than enough to carry out phishing attacks. The scale of the potential exposure is also staggering, with the researchers being able to access virtually all previous McHire applications, totaling 60 to 64 million.

What’s particularly troubling is the ease with which the independent testers were able to penetrate the system, as Ian explained to Wired, “I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years.”

According to Ian, they were able to log into the admin account after just two attempts, having first tried “admin” for both the username and password. They then changed the applicant ID values in the API via a known IDOR vulnerability to view chat logs and personal data.

In an official statement, Paradox revealed that the researchers first revealed the vulnerability to them on 30 June before announcing it publicly. They went on to clarify that, as far as they know, the account was not accessed by any other third parties and that the researchers “only viewed and downloaded five chats in total.”

However, they claimed full responsibility for the incident and thanked the researchers for “responsibly disclosing the issue,” allowing Paradox to address it quickly and discreetly.

Hackers targeting vulnerable job seekers and employers is an increasingly common attack vector. Earlier this year, a Russian cyber gang exploited Web3 job seekers to spread crypto-stealing malware, while spreading malware via fake job ads on sites like Facebook is becoming more widespread.