We all know (or should know) how important it is to use strong passwords to protect our online accounts. But sometimes, even large companies make basic mistakes. This time, the problem has been with none other than McDonald's.
A security breach was recently discovered that exposed millions of job applicant chats. The reason? A password so weak it's hard to believe: “123456.” Yes, that's right. That was the password used in the admin panel of the chatbot responsible for managing job applications.
In total, more than 64 million conversations have been compromised through McHire, the platform McDonald's uses to automate its selection process. And to make matters worse, both the username and password were “123456.” Hard to believe, but true.
This highlights how important it is to check from time to time whether our credentials have been exposed. Especially if you have ever sent your resume through this platform, it never hurts to check whether your email or password has appeared in a leak.
The back door that nobody closed
The leak did not come from a sophisticated attack or an advanced exploit. In fact, it was something much more basic, almost textbook. Everything points to a misconfiguration in McHire, a platform developed by Paradox.ai, a company specializing in human resources chatbots. This system, used by giants such as McDonald's, is designed to facilitate hiring through its star virtual assistant: Olivia.
Olivia accompanies applicants throughout the selection process: from filling in personal details and selecting available schedules to taking personality tests. All of this, in theory, is to make the process more agile and efficient.
But not everything worked as expected. As researchers Dan Carroll and Sam Curry explain in a technical report, their initial interest was not to find a major security breach. It all started out of simple curiosity, after reading complaints on Reddit about Olivia's malfunctioning: incoherent responses, lengthy processes, and frustrating interviews.
They decided to take a technical look to see if the system was not only useless but also insecure. And what they found was troubling.
First, they found that the McHire administration panel, designed for McDonald's franchisees to manage applications, accepted the default credentials “123456:123456.” Yes, in the middle of 2025, a password that should not be used even in a test account was still active in a real environment.
Second, they detected a type of vulnerability known as IDOR (Insecure Direct Object Reference) in an internal API. What does that mean? Basically, it meant that all you had to do was change a number in a URL or request (called lead_id) to see the private information of other applicants, without the system verifying whether the user had permission to access that data.
“Combining both errors, anyone with a McHire account and access to an inbox could retrieve personal information from more than 64 million people,” Carroll explained.
This type of vulnerability is serious because it does not require advanced knowledge to exploit. Modifying a number in a request was enough to access the confidential data of other candidates, as the API did not have adequate authorization controls.
In other words, anyone with access to a basic McHire account could manipulate identifiers and obtain confidential data from other candidates. No need to be a hacker, no need to break any encryption. Just changing numbers. An open backdoor... and no one bothered to close it.
Exploiting the IDOR bug to view McDonald's job applications
Read more: Password or Access Key? Discover Which One Is More Secure
What did McDonald's and Paradox.ai do about it?
The flaw was reported to Paradox.ai and McDonald's on June 30. The response was swift: McDonald's responded to the report in less than an hour, and shortly thereafter, they had disabled the default credentials that left access to the admin panel open.
In an official statement, McDonald's made its position clear:
“We are disappointed by this unacceptable vulnerability in a third-party vendor, Paradox.ai. As soon as we were informed, we ordered that it be fixed immediately, and the issue was resolved that same day.”
For its part, Paradox (the company behind the Olivia chatbot and the McHire platform) implemented a patch to fix the IDOR vulnerability and assured that it has now been mitigated. They also confirmed that they have initiated a thorough review of their security systems to prevent something similar from happening again in the future.
Furthermore, they explained that the exposed information included chatbot interactions, such as button clicks or automatic responses, even in cases where users did not enter personal data. Even so, the amount of potentially accessible data and the sensitive context make the situation more than concerning.