McDonald's AI hiring chatbot exposed data of 64 million applicants with "123456" password

winjer

Member

Security researcher Ian Carroll successfully logged into an administrative account for Paradox.ai, the company that built McDonald's AI job interviewer, using "123456" as both a username and password. Examining the internal site's code quickly granted access to raw text from every chat it ever conducted.

Job applications at 90 percent of McDonald's franchises conduct interviews with Paradox's AI chatbot, named Olivia. The AI collects names, locations, email addresses, phone numbers, shift availability, and other personal information before conducting rudimentary personality tests. Human overseers view and access this information using Paradox administrative accounts.
Although McDonald's hiring website attempts to push users toward a single sign-on, Carroll noticed a link in small text that led to a separate Paradox employee login page. Shockingly, it accepted the default username and password, immediately revealing the system's inner workings.

After discovering an API in the site's code, Carroll decremented the main parameter of an XHR request for a test chat, which granted access to Olivia's chat history for 64 million applicants. In addition to personal data, the leak also reveals authentication tokens and changes to employment status.

Moreover, when Carroll attempted to alert Paradox to the breach, he was unable to find a security disclosure contact. The company's security page mostly consists of a simple assurance that users shouldn't need to worry about security. Eventually, after the researchers emailed "random people," Paradox and McDonald's confirmed that they resolved the issue in early July.

What a major screw up.

Nothing To See Here GIF by Giphy QA
 
What strikes me most than anything is how no accountability is there regarding this type of data breaches.
Normally you would think about fines in the order of millions of dollars.
 
What strikes me most than anything is how no accountability is there regarding this type of data breaches.
Normally you would think about fines in the order of millions of dollars.
Well, technically there was no harm done. The security researcher did not leak the info, and unless it can be proven that someone else has accessed that data, no one can say it was stolen.

It still shouldn't have happened, but unless there is a general data safety law I'm not aware of, securing the data is the best resolution to the problem right now.
 
Well, technically there was no harm done. The security researcher did not leak the info, and unless it can be proven that someone else has accessed that data, no one can say it was stolen.

It still shouldn't have happened, but unless there is a general data safety law I'm not aware of, securing the data is the best resolution to the problem right now.
Apologies, I thought this was a full blown data breach.

I wonder if this kind of blunder would be a fineable offence under GDPR
 
Job applications at 90 percent of McDonald's franchises conduct interviews with Paradox's AI chatbot, named Olivia.
Although McDonald's hiring website attempts to push users toward a single sign-on, Carroll noticed a link in small text that led to a separate Paradox employee login page. Shockingly, it accepted the default username and password, immediately revealing the system's inner workings.
Moreover, when Carroll attempted to alert Paradox to the breach, he was unable to find a security disclosure contact. The company's security page mostly consists of a simple assurance that users shouldn't need to worry about security.
Good grief thrice
 
Last edited:
How/why the fuck does McDonald's have 65 million applicants within the small timespan this chatbot has been available?
 
Last edited:
When I worked at mcdonalds, the computer downstairs didn't even have a password, and contained information for all the people that ever applied. SS numbers are seriously an outdated and fraud prone system
 
Top Bottom