A significant security lapse was recently uncovered in an AI-powered recruitment tool used by McDonald’s, potentially exposing the personal information of tens of millions of job seekers. The issue? A shockingly simple login: username and password both set to “123456.”

Security researchers Ian Carroll and Sam Curry conducted a brief review of the chatbot system known as McHire, developed by Paradox.ai. Within just a few hours, they discovered multiple vulnerabilities—including a weak default password and an insecure internal API.

These flaws granted access to sensitive applicant data, including full names, email addresses, home addresses, and phone numbers. In total, the chatbot had stored information on over 64 million individuals who had applied for jobs with McDonald’s.

The researchers detailed their findings in a blog post, and their work was first covered by Wired.

Following the report, Paradox.ai responded quickly, stating that all security issues were resolved within hours. The company emphasized that no personal data was publicly leaked or made available online.

This incident is a powerful reminder that basic cybersecurity hygiene—such as enforcing strong passwords and securing internal APIs—remains a critical defense against large-scale data breaches. It also highlights the importance of conducting regular audits, especially for AI-driven platforms handling high volumes of personal information.

At Nubetia, we specialize in helping businesses protect their digital infrastructure, secure AI integrations, and maintain full compliance with data protection standards.

Learn more about how we can help you avoid incidents like this at nubetia.com.

Source: https://techcrunch.com/2025/07/11/ai-chatbots-simple-123456-password-risked-exposing-personal-data-of-millions-of-mcdonalds-job-applicants/