McDonald’s AI Hiring Bot Data Leak Exposes Millions of Job Applicant Records

The data leak of the McDonald’s AI hiring bot has raised serious concerns about data security in AI-powered recruitment tools. Security researchers Ian Carroll and Sam Curry were able to discover that the McDonald's McHire system operated by Paradox.ai had an administrator login with the default password of 123456. This error of omission granted them backend privileges, in which they identified an insecure direct object reference (IDOR) exploit in the APIs of the system. Through this vulnerability, they could view chat records of more than 64 million job applicants.

In spite of the fact that five records were watched mainly to prevent the violation of privacy, a significant amount of transcripts were found to possess personally identifiable information (PII) such as names, phone numbers, and email addresses. While no malicious access was reported, the McDonald’s AI hiring bot data leak presents a serious threat, as such data could easily be used in phishing or social engineering attacks. McDonald's acted rapidly in the observations of the researchers, canceling access and changing the passwords only a few hours after disclosure on June 30, 2025.

By July 1, Paradox.ai fixed the vulnerability and went a step further to implement a bug bounty program to make sure there are no more security slip-ups. The McDonald’s AI hiring bot data leak underscores the crucial importance of robust security measures, particularly when implementing AI tools that handle sensitive user data. This accident should be an eye-opener, particularly to companies dependent on automation, because fundamental cybersecurity hygiene (disabling default credentials and third-party systems audit) is not optional.