AI Hiring Bot at McDonald’s Exposes Applicants’ Data

Recent revelations about McDonald’s use of an AI hiring chatbot expose some critical security risks in the use of artificial intelligence in the hiring process.

Wired reports that the chatbot, Olivia, built by Paradox.ai, helps screen applicants by collecting personal information and directing them through assessments. Olivia is a central part of McDonald’s hiring tool, McHire.com, used by many of its franchisees.

However, security researchers have recently discovered that the platform has major flaws, including weak administrator credentials, that expose sensitive applicant data.

Researchers Ian Carroll and Sam Curry, known for uncovering software vulnerabilities, became interested in the McHire site after spotting a Reddit post complaining that McDonald’s hiring chatbot wasted applicants’ time with nonsense responses and misunderstandings.

The researchers discovered that by employing straightforward techniques, such as logging into an administrative account with the password “123456,” they could access millions of applicant chat logs. These logs reportedly contained names, email addresses, and phone numbers dating back years.

They alerted Paradox.ai and McDonald’s. Paradox acknowledged the vulnerability in a forthcoming blog post and stated that only a fraction of the exposed records included personal data.

McDonald’s emphasized that no one besides the researchers had accessed the data and promised future security improvements, including the launch of a bug bounty program.

In a statement cited in the Wired report, McDonald’s placed responsibility squarely on Paradox.ai, calling the lapse “unacceptable” and affirming that the issue was resolved the same day it was reported.

Companies always face legal risks when outsourcing services to third parties, especially when they handle sensitive data. The issues McDonald’s faced with Paradox.ai illustrate the importance of vendor due diligence, cybersecurity audits, and clear contractual obligations for data protection.