If you’re applying to McDonald’s these days, you’ll probably chat with Olivia, the AI recruiter. Olivia gathers your contact info, résumé, and even personality test responses. Until recently, the platform behind her, built by Paradox.ai, had a shocking security flaw.
Researchers discovered that typing “123456” for both username and password unlocked everything. That simple trick granted access to 64 million Olivia chat logs and personal details. Wired confirmed the breach’s scope. This wasn’t a targeted hack; it was a basic mistake with massive repercussions.
How Two Experts Found the Flaw in 30 Minutes
Ian Carroll and Sam Curry are respected security researchers known for finding major vulnerabilities. According to Wired, their interest in McDonald’s AI started after spotting a Reddit post mocking the chatbot’s odd replies. They tested the system for AI weaknesses but found none. Then they discovered a hidden Paradox.ai staff login page.
Carroll tried two common passwords: “admin” and then “123456.” The second worked, giving them admin access in under 30 minutes, as confirmed by The Economic Times. This wasn’t a targeted attack but routine testing.
One Forgotten Account Opened the Floodgates
Paradox.ai created a test account in 2019 to help build the system. But they never disabled it. Wired reported that the account stayed active in McDonald’s real hiring platform for years. News.com.au confirmed it still had full admin access and kept the default credentials that should’ve been deleted long ago.
That one account, buried deep in the system, ended up being the weakest link. It was invisible to audits and forgotten by developers. But it worked perfectly for anyone who found it. And that’s exactly what the researchers did.
The Hidden Staff Login Page
The staff login page was found by poking around McDonald’s hiring site and trying common staff login links. According to Malwarebytes, this technique, called enumeration, is often used to locate weak entry points.
The Daily Beast confirmed no special hacking was needed. The login page didn’t even require two-factor authentication. The Economic Times said once the password worked, they had full control over 64 million applicant records. It wasn’t a high-tech break-in. It was like trying a random doorknob and walking right into a corporate server room.
There’s More
Once inside, the researchers found an even bigger issue: the system’s API was wide open. TechRadar reported an insecure direct object reference (IDOR) flaw that let them access any applicant’s data by changing a few numbers in the web address. Tom’s Hardware noted there were no limits or security checks.
In theory, they could’ve downloaded the entire 64 million record database. The Economic Times confirmed the data included names, phone numbers, addresses, chat logs, and even personality test answers.
Thank Goodness They Were the Good Guys
Thankfully, the researchers weren’t out to steal anything. According to The Daily Beast, Carroll and Curry immediately alerted both McDonald’s and Paradox.ai. They provided documentation, didn’t save or share the data, and worked with the companies to fix the issue. Wired confirmed the hole was patched within 24 hours.
Still, there’s no way to know if bad actors had accessed the system earlier. The system had no logging in place to track past activity. That’s what makes this discovery both a relief and a serious wake-up call.
Why the Data Was Worth $300 Million
This breach wasn’t just embarrassing, it was potentially lucrative for criminals. Experts say personal data like emails, phone numbers, and addresses can sell for $2 to $5 per record. Multiply that by 64 million records, and you reach a black-market value of up to $300 million.
According to TechRadar and Tom’s Hardware, scammers could use this data for phishing attacks or identity theft. Personality test data adds another layer, offering clues for fraud and manipulation. The researchers didn’t sell anything, but the potential for harm is massive.
More Than Just Data—A Perfect Phishing Trap
While names and emails may seem basic, the context made this data especially dangerous. As Ian Carroll and Sam Curry told Wired, these weren’t just random identities; they were job seekers waiting to hear from McDonald’s. That made them perfect phishing targets. A scammer could easily pose as a recruiter, request banking info for “direct deposit,” or run a fake hiring scam.
According to Curry, the emotional vulnerability of applicants made the threat even worse. Even failed job applications could be exploited for shame or coercion. As Curry put it, “If you wanted to run a payroll scam, this was a good approach.”
What the Breach Could Actually Cost McDonald’s
The McHire breach could trigger lawsuits or regulatory probes, though success isn’t guaranteed. The FTC can investigate under Section 5 of the FTC Act, and the CCPA allows affected Californians to sue for up to $750 per person. But most cases get dismissed without proof of harm. GDPR fines could apply if European applicants were impacted, up to €20 million or 4% of global revenue.
McDonald’s has faced privacy lawsuits before, including a $50 million biometric settlement in 2024. Still, experts say the fast response and ethical disclosure may limit damages this time. The legal threat is real, but far from certain.
Security 101: How the Basics Were Ignored
Experts say this breach violated basic cybersecurity rules. CSO Online explained that good security requires retiring old accounts, avoiding default passwords, and adding multi-factor authentication.
Armis noted that several layers of protection failed here. Zscaler added that these were common errors any standard audit would’ve flagged. BigID said the system created a “perfect storm” of negligence.
These were not expert-level problems. They were beginner-level mistakes. For McDonald’s and Paradox.ai, skipping security basics turned into a lesson that may cost hundreds of millions.
A Fast Fix, But Late in the Game
After being alerted, McDonald’s and Paradox.ai acted quickly. Malwarebytes confirmed they closed the vulnerability within 24 hours. Wired reported that Paradox.ai shut down the test account, boosted login protections, and launched a full security review. The Economic Times said McDonald’s released a statement and promised stronger safeguards.
Paradox.ai also created a bug bounty program to catch future flaws. These actions were the right call, but they came after the damage was already done. The real question is why those protections were not there in the first place.
Big AI, Weak Security: A Growing Problem
This incident shows what happens when companies adopt powerful AI tools but skip the basic security steps. Olivia was designed to handle millions of applications, but her data was protected by a laughably weak system.
s more companies use AI for hiring, customer service, and healthcare, the risks grow. This wasn’t just about one chatbot. It’s about a bigger issue: smart technology doesn’t work if the systems protecting it are still stuck in the past.
What You Should Do Right Now
If you applied for a job at McDonald’s, assume your data may have been exposed. Watch for phishing emails that mention your name or job history. Experts suggest freezing your credit, enabling fraud alerts, and signing up for identity protection.
For businesses, the lesson is clear: review your vendor’s security, close unused accounts, and use strong login protections. Launch a bug bounty program before something goes wrong. This breach didn’t involve complex hacking; it was preventable. That means future breaches like this still can be.