July 14th, 2025
🔍 Key Takeaways
What happened?
Paradox.ai’s AI chatbot “Olivia,” used in McDonald’s McHire hiring platform, contained basic yet critical security flaws. An administrator login was protected by the credentials 123456/123456, and a sequential applicant ID allowed Insecure Direct Object Reference (IDOR) access.
Scope of exposure:
This enabled access to all of the platforms historical chat records, approximately 64 million records, including names, emails, phone numbers, physical addresses, and application data.
Researchers findings:
In 30 minutes, two cybersecurity professionals (Ian Carroll & Sam Curry) accessed a dormant Paradox.ai test admin account and used ID manipulation to review multiple applicants’ chat logs.
‼️Impact
Potential of mass exposure of PII:
Had this breach been executed by a malicious actor, it could have led to a trove of applicants PII, increasing identity theft and phishing risks.
Phishing and social engineering threats:
Attackers could impersonate “McDonald’s recruiters,” trick applicants into sharing banking or login data via payroll scams, among other sensitive data.
Damage to trust and brand integrity:
McDonald’s and Paradox.ai suffered reputational harm. McDonald’s issued statements condemning the lapse and demanding immediate improvements.
💡 Recommendations
Eliminate weak/default credentials:
Enforce strong password policies and immediate decommissioning of dormant/test accounts.
Implement robust authentication:
Require MFA for all admin or sensitive systems access.
Secure APIs and IDs:
Use random or securely generated IDs; prevent insecure direct object references.
Conduct regular assessment's and pen-tests:
Continuously assess security posture and test for security vulnerabilities—especially for systems handling PII and sensitive data.
Third-Party vendor oversight & vetting:
Organizations should enforce clear cybersecurity requirements for third-party software/service providers.
Read the full article HERE