McDonald’s Job Application Platform Exposed Data of Over 64 Million Applicants in Major Security Flaw

A vulnerability in McDonald’s chatbot-powered job application platform exposed the personal data and chat transcripts of more than 64 million applicants, according to cybersecurity researchers.

The flaw, discovered by Ian Carroll and Sam Curry, allowed anyone with basic knowledge of web traffic to access applicant data simply by changing a number in a URL. Even more worrying? The admin panel of the test franchise used “123456” as both the username and password.

A Cracked Door Left Wide Open

It sounds like something out of a tech horror story: you log in to a hiring dashboard, submit a job application, and next thing you know, you’re staring at other people’s private information. That’s more or less what happened here.

The researchers accessed McHire, the chatbot-based hiring platform used by nearly 90% of McDonald’s U.S. franchisees. The chatbot, named Olivia and built by Paradox.ai, collects names, phone numbers, addresses, email info, and even personality tests from prospective employees.

First, Carroll and Curry logged into a test McHire franchise using default admin credentials—both the username and password were “123456.” No surprises there. What they found next was far more serious.

All It Took Was Tweaking a Number

During their testing, the duo noticed how chat data was retrieved. It went through an API endpoint that looked like this: The interesting part? It used a simple parameter.

They tried something simple: change the number up or down. And just like that, boom—access to a different applicant’s chat and data.

That’s what’s known in cybersecurity as an IDOR vulnerability (short for Insecure Direct Object Reference). It’s when apps expose internal record numbers without verifying whether a user is allowed to see them.

“Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants,” Carroll said in a writeup after their discovery.

How the Data Was Exposed

Here’s a quick look at what was potentially compromised through the IDOR flaw:

• Full chat transcripts between applicants and the chatbot

• Names, email addresses, phone numbers

• Home addresses and availability

• Session tokens linked to user sessions

Even clicking a button during a chat could leave a digital trace that someone else could later see. Paradox later confirmed that even those minor interactions were visible.

The table below summarizes what was at risk:

Corporate Responses: Fast, But Reactive

The researchers reported the issue on June 30. Within an hour, McDonald’s acknowledged the vulnerability. The admin credentials were revoked shortly after, and Paradox deployed a fix for the API issue the same day.

McDonald’s, in a statement to Wired, said, “We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately.”

No sugarcoating here—this was a major miss.

Paradox also told BleepingComputer it’s now reviewing internal systems to prevent such flaws going forward. It’s a classic case of closing the barn door after the horse has bolted, but at least the door’s now shut.

The Bigger Picture: Why This Matters Beyond McDonald’s

Sure, this breach happened at a burger chain’s job application portal. But it’s not just about McDonald’s. It’s about how easily personal data can be exposed by companies relying on third-party tools that aren’t properly secured.

Think about this: 64 million people shared their details expecting privacy. That’s nearly one-fifth of the U.S. population. This wasn’t a minor glitch. It was a gaping security hole.

Three short thoughts:

• It didn’t require hacking tools—just basic curiosity.

• It lasted long enough to put tens of millions at risk.

• It happened on a platform trusted by one of the world’s biggest companies.

The Risks of Default Credentials and Poor Oversight

Let’s talk about those admin credentials again. “123456” is one of the most commonly used and insecure passwords in the world. The fact that a live system used it—without being detected—raises real concerns.

McDonald’s may be the public face, but Paradox.ai built the system and allowed this kind of vulnerability to exist unchecked.

This wasn’t an isolated error. It was a sign of lazy defaults, poor configuration, and a lack of auditing. A ticking time bomb, essentially.

And it blew up.

Where It Stands Now

The good news? The hole has been patched. Paradox says the IDOR flaw is closed, and McDonald’s franchises no longer use the laughably weak credentials.

But trust takes time to rebuild. Applicants now know their data was accessible to pretty much anyone who could guess a number and knew how to use a browser’s developer tools.

And the tech industry? They’ve just been handed another reminder: never assume your data is safe just because it lives behind a login screen.