McDonald’s McHire bot exposed personal information of 64M people by using ‘123456’ as a password in 2025

A pair of security researchers has revealed vulnerabilities in the McHire chatbot Paradox, developed for McDonald’s, that could have been exploited to reveal personal information about roughly 64 million people who have used the service to apply for jobs at their local franchises. (Hat-tip Wired.)

I was “hacked” the first time when I was 14. I put that in scare quotes because the password for the account was “1234.” (Without the quotes or period, of course, which makes it even worse.) After I regained access to the account, I started using a password manager.

Why is that relevant? Because the researchers who found these vulnerabilities, Ian Carroll and Sam Curry, were able to guess the password used by “Paradox team members” to access McHire: “123456.” That’s slightly better than the password I used, I guess, but not enough to justify its use decades after most people realized that using weak passwords is a bad idea.

There is some good news: “It turned out we had become the administrator of a test restaurant inside the McHire system,” Carroll and Curry wrote. “We could see all of the employees of the restaurant were simply employees of Paradox.ai, the company behind McHire. This was great because we could now see how the app worked, but annoying because we had still not demonstrated any actual confidentiality or integrity impact.”

That’s where the second vulnerability comes in. (Or the first, depending on whether or not you count the embarrassingly bad password as a true vuln.) An insecure direct object reference (IDOR) flaw in the McHire API allowed Carroll and Curry to gain access to the following information from “every chat interaction [from anyone who] ever applied for a job at McDonald’s”:

Name, email address, phone number, address
Candidacy state and every state change/form input the candidate had submitted (shifts they could work, etc)
Auth token to log into the consumer UI as that user, leaking their raw chat messages and presumably other information

Carroll and Curry noted that Paradox had previously bragged that 90% of McDonald’s franchises were using McHire as part of their hiring practices. (That link still leads to the appropriate post on Paradox’s blog, but the section related to McDonald’s has been removed, and neither the Wayback Machine nor Google’s cache has saved old versions of the post. Weird!)

So let’s compare and contrast. I secured a forum account with the password “1234” when I was a teenager; that account’s compromise was ultimately meaningless. Paradox raised $200 million in 2020, McDonald’s has a $213 billion market cap, and McHire’s flaws exposed information about tens of millions of people. But at least their password was two characters longer!

Perhaps the only bright side is that Carroll and Curry said the McHire vulnerabilities were addressed a day after their disclosure. Hopefully the companies involved will hold themselves to a McHigher standard now.

link