McDonald’s is facing serious questions about its digital security after researchers revealed that a glaring vulnerability in its job application platform exposed the personal data of 64 million applicants across the U.S., Canada, and other countries. The breach, tied to its widely used McHire platform, was caused by the use of a default admin login with the credentials “123456” for both the username and password.
The vulnerability was uncovered by ethical hackers Ian Carrol and Sam Curry, known for identifying security flaws in major systems. Their investigation found that McHire’s admin portal granted full back-end access without any form of robust authentication. Once logged in, they could view sensitive information collected by “Olivia,” the AI-powered chatbot that handles job applications, interview scheduling, and personality assessments for about 90 percent of McDonald’s franchises.
Researchers say they were able to access raw chat logs, resumes, shift preferences, and personally identifiable information, including names, emails, phone numbers, addresses, and candidacy status updates. “We immediately began disclosure of this issue once we realized the potential impact,” the researchers noted in their report.
The discovery was reported to Paradox.ai—the AI software company behind Olivia—as well as to McDonald’s on June 30. Paradox.ai responded by saying the breach was linked to a test account that had never been properly deactivated. The company admitted its previous penetration testing failed to detect the issue and confirmed it had resolved the problem by July 1.
While Paradox.ai emphasized that no client information was leaked publicly and that only the researchers accessed the data, the incident has still raised major concerns about cybersecurity practices in corporate recruiting systems.
McDonald’s Canada issued a statement calling the vulnerability “unacceptable” and emphasized that the matter was addressed the same day it was reported. “We take our commitment to cybersecurity seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection,” the company said.