McDonald’s AI hiring chatbot exposed data of job candidates

Print this article

Many companies now rely on AI to handle parts of the hiring process. Bots screen resumes, filter candidates, and manage preliminary communication before a human steps in. McDonald’s utilizes an AI-powered hiring platform called McHire, which is powered by Paradox.ai’s chatbot, Olivia, to streamline its recruitment process.

While AI brings convenience, it also comes with data privacy risks. This became clear when two security researchers responsibly disclosed a critical vulnerability that exposed a small number of candidate records, despite some early reports suggesting a much larger breach.

What did researchers find in McDonald’s AI hiring platform?

On June 30, 2025, security researchers Ian Carroll and Sam Curry discovered a vulnerability in a Paradox.ai test account related to a single client instance, which serves McDonald’s. Using weak, outdated credentials, they accessed a testing portal and discovered an unauthenticated API endpoint tied to chat interaction records.

They retrieved seven chat logs, five of which included U.S.-based candidate information such as:

• Full names
• Email addresses
• Phone numbers
• IP addresses

The remaining two records did not include any personal data. Notably, no full job applications, Social Security numbers, or financial information were exposed, and sensitive fields remained protected.

Paradox.ai confirms the scope of the security vulnerability

Paradox.ai responded swiftly, disabling the test account immediately and patching the exposed endpoint within hours of notification. In a public statement, the company confirmed that only five candidate records containing personal information were accessed, and only by the two researchers who ethically disclosed the issue.

The company claims the incident impacted only one Paradox client, believed to be McDonald’s, and no other Paradox.ai clients or systems were affected. There is no evidence of malicious access or that any data was ever leaked or made publicly available. The company went on to say that, “We are confident that, based on our records, this test account was not accessed by any third party other than the security researchers”.

What McDonald’s and Paradox.ai are doing now

Paradox.ai admitted the test account, set up before 2019, should have been decommissioned and that legacy credentials no longer met current password standards. In response to the incident, the company has:

• Revoked the legacy test account credentials
• Deployed a patch to close the vulnerable endpoint
• Launched a bug bounty program
• Added a public-facing contact for security concerns at security@paradox.ai

In response, McDonald’s issued a statement:

“We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately and it was resolved on the same day it was reported to us. We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.”

Was it really 64 million job applications?

Early reports suggested that the vulnerability could have exposed up to 64 million job applications. However, researchers never confirmed this number, and Paradox.ai’s investigation did not find any indication that large-scale data scraping occurred. The only records accessed were the seven chat samples pulled by the researchers to verify the issue.

We reached out to Paradox.ai, and a rep told us: “Our public post should serve as Paradox’s official statement. It provides context, as well as some clarification of inaccuracies published in other media.” You can find that statement here. Consistent with their statement, Paradox.ai emphasized that only five candidate records containing personal information were accessed by the security researchers, and there is no evidence of a mass breach or any data being made public.

More from CyberGuy

🎙 Now Streaming

[Ep. 35] Mother arrested after a Facebook post about dirty water

A Texas mom says she spent the night in jail after speaking up online about dirty water in her town. The case was later dropped, but her story raises a troubling question: could something you post online ever put you at risk?

▶

Subscribe: Apple | Spotify | YouTube

Recommended next

📱 Free class recording: Lock down your phone

Missed this event? Sign up via the registration form and see our live recording.

Watch the recording

🎁 Prime Day tech deals worth grabbing

See Kurt’s Prime Day picks for useful gadgets, practical upgrades and everyday tech while the deals last.

See picks

×

[Ep. 35] Mother arrested after a Facebook post about dirty water

Subscribe to our YouTube channel

While the underlying vulnerability was real, only a very limited scope of data was actually accessed, thanks to the actions of the researchers and the vendor’s rapid response.

Could this data have been used maliciously?

While the researchers accessed personal information in five records, there is no evidence that attackers ever exploited this data. However, hypothetically, such data could be used for various scams, such as:

• Impersonating recruiters to collect more personal information
• Delivering phishing emails under the guise of onboarding
• Targeting job seekers with fake job offers

The nature of the exposed data makes it sensitive, even if the scope was limited.

6 steps to protect your personal data when using online hiring platforms

The McHire security lapse shows how easily personal information can be exposed when AI tools collect job application data. These six steps can help you protect your information before, during, and after applying.

1) Limit the personal data you share

Only share the information needed to complete the application. Do not provide sensitive details like your Social Security Number, bank account information, or full home address unless you are certain the platform is legitimate and secure.

2) Get an alias email for job applications

An alias email address is an additional email address that can be used to receive emails in the same mailbox as the primary email address. It acts as a forwarding address, directing emails to the primary email address. It also keeps your job search organized, helps you spot scams quickly, and reduces the damage if a company mishandles your data. See my review of best secure and private email services here

3) Check for HTTPS and red flags

Before you fill out any forms, check that the website URL begins with https:// and that the site looks secure and professional. Avoid platforms or bots that ask vague or repetitive questions or redirect you without a clear reason.

4) Consider a data removal service

Incidents like the McHire breach show how easily personal details can be exposed, even when you think you’re just applying for a job. A data-removal service helps reduce your online footprint by scanning hundreds of data broker sites and requesting the removal of your information. This lowers the risk of your personal data being leaked, exploited in phishing scams, or used for impersonation.

While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.

Is your personal information exposed online?

Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.

5) Use strong, unique passwords for job search accounts

If you create accounts on hiring platforms, avoid reusing passwords from other services. A weak or reused password can make it easier for attackers to compromise your data if a site is breached. Consider using a password manager to generate and store secure passwords.

6) Monitor for signs of identity misuse or scam messages

After applying for jobs, stay alert for emails or texts that seem “off.” Scammers often use leaked data to impersonate recruiters or employers, especially after high-profile breaches. Watch for fake onboarding requests or messages asking for sensitive information like bank details or IDs. When in doubt, verify directly with the company.

Related links:

• AI and learning retention: Does ChatGPT help or hurt?
• Dangers of over-sharing with AI tools
• Energy-sucking AI data centers can look here for power instead

Kurt’s key takeaway

This incident was a serious but limited security issue. Thanks to responsible disclosure by researchers and Paradox.ai’s rapid response, the exposure was contained to just five candidate records, and no personal data was leaked or misused. That said, the event is a reminder: when AI is involved in hiring, data privacy must remain a top concern. Even small oversights, like a forgotten test account, can put real people’s data at risk.

Do you think companies should be more transparent about data protection in their hiring platforms? Let us know in the comments. Let us know in the comments below.

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

Copyright 2025 CyberGuy.com.  All rights reserved.  CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.

Print this article

 

---

 
🎙 Now Streaming: My New Podcast: The CyberGuy Report

   

---

 

Kurt’s Top Deals

Deals move fast and inventory can be limited, so don’t wait too long.

🔥 Editor’s pick Shop now Summer entertaining Ninja SLUSHi Machine (26% off) Frozen drinks and slushies at home in minutes.	Shop now Patriotic pick American Flag (19% off) Heavyweight outdoor American flag.
💰 Top deal Shop now Outdoor essential TYPEC Solar Bug Zapper (36% off) Solar-powered bug zappers for patios and camping.	Shop now Car tech ROVE R3 Dash Cam (33% off) Front, rear and cabin camera coverage.