Support NeoGAF

[winjer]

McDonald's AI hiring chatbot exposed data of 64 million applicants with "123456" password

Security researcher Ian Carroll successfully logged into an administrative account for Paradox.ai, the company that built McDonald's AI job interviewer, using "123456" as both a username and...

www.techspot.com

Security researcher Ian Carroll successfully logged into an administrative account for Paradox.ai, the company that built McDonald's AI job interviewer, using "123456" as both a username and password. Examining the internal site's code quickly granted access to raw text from every chat it ever conducted.

Job applications at 90 percent of McDonald's franchises conduct interviews with Paradox's AI chatbot, named Olivia. The AI collects names, locations, email addresses, phone numbers, shift availability, and other personal information before conducting rudimentary personality tests. Human overseers view and access this information using Paradox administrative accounts.

Although McDonald's hiring website attempts to push users toward a single sign-on, Carroll noticed a link in small text that led to a separate Paradox employee login page. Shockingly, it accepted the default username and password, immediately revealing the system's inner workings.

After discovering an API in the site's code, Carroll decremented the main parameter of an XHR request for a test chat, which granted access to Olivia's chat history for 64 million applicants. In addition to personal data, the leak also reveals authentication tokens and changes to employment status.

Moreover, when Carroll attempted to alert Paradox to the breach, he was unable to find a security disclosure contact. The company's security page mostly consists of a simple assurance that users shouldn't need to worry about security. Eventually, after the researchers emailed "random people," Paradox and McDonald's confirmed that they resolved the issue in early July.

What a major screw up.

 

[Miles708]

What strikes me most than anything is how no accountability is there regarding this type of data breaches.
Normally you would think about fines in the order of millions of dollars.

 

[chromhound]

Didn't even know McDonalds had a AI lol

 

[Kilau]

 

[Jinzo Prime]

What strikes me most than anything is how no accountability is there regarding this type of data breaches.
Normally you would think about fines in the order of millions of dollars.

Well, technically there was no harm done. The security researcher did not leak the info, and unless it can be proven that someone else has accessed that data, no one can say it was stolen.

It still shouldn't have happened, but unless there is a general data safety law I'm not aware of, securing the data is the best resolution to the problem right now.

 

[AJUMP23]

Your information is only as secure as the dumbest user.

 

[Miles708]

Well, technically there was no harm done. The security researcher did not leak the info, and unless it can be proven that someone else has accessed that data, no one can say it was stolen.

It still shouldn't have happened, but unless there is a general data safety law I'm not aware of, securing the data is the best resolution to the problem right now.

Apologies, I thought this was a full blown data breach.

I wonder if this kind of blunder would be a fineable offence under GDPR

 

[Melon Husk]

Job applications at 90 percent of McDonald's franchises conduct interviews with Paradox's AI chatbot, named Olivia.

Although McDonald's hiring website attempts to push users toward a single sign-on, Carroll noticed a link in small text that led to a separate Paradox employee login page. Shockingly, it accepted the default username and password, immediately revealing the system's inner workings.

Moreover, when Carroll attempted to alert Paradox to the breach, he was unable to find a security disclosure contact. The company's security page mostly consists of a simple assurance that users shouldn't need to worry about security.

Good grief thrice

 

[Dr.Morris79]

 

[Trunx81]

 

[Rentahamster]

Just when I was coming to terms about the food being artificial, you tell me that the intelligence at McDonald's is, too?

 

[poppabk]

Just when I was coming to terms about the food being artificial, you tell me that the intelligence at McDonald's is, too?

Ironically, it was the human intelligence that left the username and password as 12345.

 

[DonkeyPunchJr]

Was Alyssa Mercante one of the applicants?

 

[Haint]

How/why the fuck does McDonald's have 65 million applicants within the small timespan this chatbot has been available?

 

[winjer]

How/why the fuck does McDonald's have 65 million applicants within the small timespan this chatbot had been available?

The chatbot has access to the whole database, with data from previous years.

 

[Haint]

The chatbot has access to the whole database, with data from previous years.

That's still a metric shit ton of applications, they're not keeping them on file more than a few years.

 

[Sub_Level]

I haven't had McDonalds in a week and I am going through McDrawals.

Do you guys get it? lmao

 

[Magic Carpet]

Hello, will you be using your mobile app today?

 

[winjer]

That's still a metric shit ton of applications, they're not keeping them on file more than a few years.

Seems like they keep them for a long time.
And all this data is probably from around the globe, not just the USA.

 

[lughnasadh123]

Would love to hear the excuse on this one.

"Sorry guys, I just thought everyone was lazy like me and would stop trying at 5 digits."

 

[Blade2.0]

How/why the fuck does McDonald's have 65 million applicants within the small timespan this chatbot has been available?

They're one of the biggest companies on planet earth. These are small numbers, honestly.

 

[Mistake]

When I worked at mcdonalds, the computer downstairs didn't even have a password, and contained information for all the people that ever applied. SS numbers are seriously an outdated and fraud prone system