A Lesson in Cybersecurity: How a Simple Flaw in a Partner's Software Exposed Millions of McDonald's Job Applicants¶

A woman looking at a computer screen. McDonald's and Paradox.AI logos

A startling security vulnerability in a recruitment platform used by McDonald's has potentially exposed the personal data of up to 64 million job applicants. The incident serves as a powerful reminder of a risk that has plagued the technology sector for decades: the supply chain. I question whether McDonald's had even done a thorough cybersecurity due diligence when contracting with Paradox.

I also note, while the platform in question uses artificial intelligence, the critical error was deeply human and not a failure of AI at all.

The flaw resided in the systems of Paradox AI, the company behind the "Olivia" chatbot used by McDonald's on its "McHire" platform to screen potential employees. The vulnerability, uncovered by security researchers Ian Carroll and Sam Curry, was alarmingly simple: a default password, "123456", was left active on a Paradox staff administrator account. Yes, you are reading this correctly. A password that even my 10-year-old would not choose.

The researchers found that by using the default credentials, they could gain access to the system and then manipulate sequential applicant ID numbers to view the personal information of other candidates. The exposed data included sensitive details such as names, email addresses, phone numbers, and the content of their chat histories with the AI recruiter. The Real Story: A Classic Supply Chain Failure, Not an AI Flaw

I emphasise: this was not a case of "AI gone wrong." The artificial intelligence used to screen candidates performed its function as designed. The failure was a classic cybersecurity blunder: a weak, default password and insecure system configuration. This is a type of vulnerability that has existed long before the current AI boom and underscores a timeless principle: your security is only as strong as that of your partners.

For decades, companies have relied on third-party vendors for software and services, creating complex digital supply chains. From the infamous SolarWinds attack to countless other breaches caused by compromised partner software, this type of risk is not new. The Paradox AI incident is simply the latest high-profile example. It highlights that as companies race to integrate exciting new technologies like AI, they cannot afford to overlook the fundamental security posture of their vendors. The most advanced AI in the world is rendered useless if the front door is left unlocked with a simple, guessable password.

In a public statement, McDonald's expressed its disappointment with the "unacceptable vulnerability" from its third-party provider. The company emphasised that it mandated an immediate fix as soon as it was notified, a standard and necessary reaction when a link in your supply chain is broken. Sadly, they do not mention what checks they had done before asking Paradox to provide the services of "Olivia".

Paradox AI, for its part, has taken full responsibility for the security lapse. The company confirmed that the vulnerability was patched on the same day it was reported and stated that an internal investigation found no evidence of malicious access to the data beyond the security researchers' responsible disclosure. In response to the incident, Paradox AI has announced plans to launch a bug bounty program to encourage the responsible reporting of future security weaknesses. Well, they should also test their systems before production use; penetration testing seems like a useful capability to anyone?

This incident serves as a stark reminder that even the most advanced AI systems are only as secure as their weakest link. The allure of artificial intelligence and its potential to streamline processes like recruitment cannot overshadow the absolute necessity of robust and fundamental cybersecurity measures. A simple, unchanged default password has, in this case, undermined the privacy of millions and served as a costly lesson for both Paradox AI and its high-profile client. It is a powerful illustration that in the race for technological advancement, the basics of security must never be left behind. I am still in shock, but hopeful for change.

Vladimir's Note: The vulnerabilities discovered are classic examples of well-documented security risks catalogued by the Open Web Application Security Project (OWASP). The use of a default password is a textbook case of A07:2021 – Identification and Authentication Failures. The Insecure Direct Object Reference (IDOR) flaw is a direct example of A01:2021 – Broken Access Control, which has been the number one vulnerability in the OWASP Top 10 for 2021.