Security Bulletin

July 14th, 2025

🔍 Key Takeaways

• What happened? Paradox.ai’s AI chatbot “Olivia,” used in McDonald’s McHire hiring platform, contained basic yet critical security flaws. An administrator login was protected by the credentials 123456/123456, and a sequential applicant ID allowed Insecure Direct Object Reference (IDOR) access.

• Scope of exposure: This enabled access to all of the platforms historical chat records, approximately 64 million records, including names, emails, phone numbers, physical addresses, and application data.

• Researchers findings: In 30 minutes, two cybersecurity professionals (Ian Carroll & Sam Curry) accessed a dormant Paradox.ai test admin account and used ID manipulation to review multiple applicants’ chat logs.

‼️Impact

• Potential of mass exposure of PII: Had this breach been executed by a malicious actor, it could have led to a trove of applicants PII, increasing identity theft and phishing risks.

• Phishing and social engineering threats: Attackers could impersonate “McDonald’s recruiters,” trick applicants into sharing banking or login data via payroll scams, among other sensitive data.

• Damage to trust and brand integrity: McDonald’s and Paradox.ai suffered reputational harm. McDonald’s issued statements condemning the lapse and demanding immediate improvements.

💡 Recommendations

• Eliminate weak/default credentials: Enforce strong password policies and immediate decommissioning of dormant/test accounts.

• Implement robust authentication: Require MFA for all admin or sensitive systems access.

• Secure APIs and IDs: Use random or securely generated IDs; prevent insecure direct object references.

• Conduct regular assessment's and pen-tests: Continuously assess security posture and test for security vulnerabilities—especially for systems handling PII and sensitive data.

• Third-Party vendor oversight & vetting: Organizations should enforce clear cybersecurity requirements for third-party software/service providers.

Read the full article HERE