AI chatbot’s simple ‘123456’ password risked exposing personal data of millions of McDonald’s job applicants

Recent findings by security researchers have unveiled a significant vulnerability in McDonald's AI-powered hiring chatbot, potentially compromising the personal information of 64 million job applicants. The researchers, Ian Carroll and Sam Curry, discovered that they could easily access sensitive data by using the alarmingly simple username and password combination of '123456'. During their brief security assessment, the duo identified not only this password flaw but also another critical weakness in an internal API. This breach allowed them to view past conversations between applicants and the chatbot, known as McHire, which is operated by Paradox.ai. The exposed data included a wealth of personal information, such as names, email addresses, home addresses, and phone numbers of applicants. In response to the alarming findings, Paradox.ai stated that they addressed the security concerns within a few hours of the researchers' notification. They assured the public that no candidate information was leaked online or made publicly accessible. The revelations were initially reported by Wired, highlighting the urgent need for stronger security protocols in AI-driven hiring processes.