McDonald’s Hiring Bot Hacked in Minutes Using Password ‘123456’

Researchers Ian Carroll and Sam Curry gained access to McDonald’s recruiting site, McHire.com, in just 30 minutes. The platform, which features the chatbot “Olivia,” is run by Paradox.ai and is used to manage job applications for the fast-food chain.

By guessing the basic credentials—just a username and that weak password—they were able to access the system's backend. That gave them visibility into application data going back several years, including names, email addresses, and phone numbers. According to the researchers, as many as 64 million records could have been exposed.

“If someone had taken advantage of this, the phishing risk would’ve been massive,” said Curry, explaining that applicants waiting for replies are especially vulnerable to scams posing as job offers.

The researchers didn’t go further than necessary but confirmed that the data was real and easy to access by changing applicant ID numbers in the site’s URL. They found the login link during a conversation with the AI assistant, “Olivia.” From there, gaining access was surprisingly simple.

Paradox.ai response

Paradox.ai acknowledged the issue in a blog post and said it was fixed the same day it was reported.
“We do not take this matter lightly, even though it was resolved swiftly and effectively,” said the company’s chief legal officer. They’ve also announced plans to launch a bug bounty program to catch vulnerabilities.

What led to the discovery

Carroll was initially drawn in by a Reddit thread criticizing the AI chatbot’s performance. Curious, he and Curry looked into the platform’s backend and quickly found the flaw.
After logging in, they discovered a link that exposed applicant data and realized they could view anyone’s information by adjusting the ID in the URL.

It didn’t take advanced hacking—just a simple password and a little curiosity.