McDonald’s job portal breached after researchers use ‘123456’ to access data of 60 million applicants

A major data breach has rocked fast food giant McDonald’s, after independent cybersecurity researchers gained access to the personal information of more than 60 million job applicants, simply by logging into the company’s hiring platform using the password “123456.”

The breach occurred through McHire, McDonald’s global hiring portal, which uses a chatbot named Olivia to interact with candidates, collect resumes, and guide applicants through assessments such as personality tests. The Olivia chatbot is managed by Paradox.ai, a U.S.-based AI recruiting solutions provider.

Security researchers Ian Carroll and Sam Curry uncovered the vulnerability while investigating complaints on Reddit about Olivia’s unusual and nonsensical behavior. Suspecting weaknesses in the system, they initially tested the chatbot for “prompt injection” attacks, a known method for manipulating AI models to leak sensitive information. Finding no immediate flaws, they turned their attention to the McHire portal itself.

That’s when they discovered a login page marked for “Paradox team members.” Entering “123456” as both the username and password, they were granted unrestricted backend access, no multifactor authentication required. What they found was alarming: a trove of unmasked personal data belonging to tens of millions of applicants, spanning several years.

“I just thought it was pretty uniquely dystopian compared to a normal hiring process,” Carroll told Wired, which first reported the story. “So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years.”

The leaked data included resumes, names, contact information, and other sensitive personal details. Given the scale and depth of the breach, affected individuals may be at risk of phishing, fraud, or identity theft.

The vulnerability was traced back to Paradox.ai, which acknowledged the error in a public blog post. The company explained that the exposed account was a forgotten internal test account overlooked during routine security checks. It was promptly deactivated after Carroll and Curry disclosed their findings.

McDonald’s, which was notified at the same time as Paradox.ai, condemned the breach and laid the blame squarely on its third-party vendor. “We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai,” the company said in a statement. “As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us.”

Paradox.ai claims that no other unauthorized parties accessed the data and that the breach was contained. Still, the incident raises serious questions about basic security hygiene, particularly when weak or default credentials are left active on systems handling sensitive personal data.