McDonald's is the world's largest fast food chain with over 40,000 locations globally. Their AI hiring platform McHire built by Paradox.ai uses a chatbot named Olivia to screen job applicants. A security researcher applied for a McDonald's job out of curiosity and within 30 minutes had full access to every job application ever submitted through the platform. Security researchers Ian Carroll and Sam Curry discovered that McDonald's McHire hiring platform had catastrophically basic security vulnerabilities including an administrator account protected by the username and password "123456." This allowed anyone to access 64 million records containing applicants' names, email addresses, and phone numbers going back years. The vulnerability was discovered and reported in July 2025 and fixed the same day it was reported.
Initial Access
Laughably Weak Administrator
confirmed
Security researchers accessed the McHire backend by guessing that an administrator account used "123456" as both username and password. No sophisticated hacking required. No tools. No exploits. Just typing the most common password in existence into an admin login screen and getting full access.
Defender cut points
Enforce strong password policies with minimum complexity requirements on all administrator accountsImplement account lockout after failed login attempts to prevent credential guessingDeploy phishing resistant MFA on all administrative accounts regardless of platform criticality
