Security researchers made a startling discovery when they found that the personal information of 64 million people who had applied for a job at McDonald’s was accessible due to a major security flaw. By using the incredibly common username and password “123456,” they were able to log into the company’s AI job hiring chatbot and gain unauthorized access to sensitive data.
The Vulnerabilities Uncovered
Ian Carroll and Sam Curry detailed in a blog post that within just a few hours of conducting a security review, they not only uncovered the password issue but also identified another simple security vulnerability in an internal API. This second flaw allowed access to job applicants’ previous conversations with the chatbot, known as McHire, which was provided to McDonald’s by Paradox.ai. The personal data exposed included names, email addresses, home addresses, and phone numbers of the applicants.
Immediate Response
Paradox.ai acted swiftly after the researchers’ report, resolving the security issues within a few hours. They assured the public that candidate information was not leaked online or made publicly available at any point. The swift response from the company helped prevent any further data breaches and potential misuse of the exposed personal information.
This eye-opening discovery by the security researchers was first brought to light by Wired, shedding light on the critical importance of robust cybersecurity measures to safeguard sensitive data in today’s digital age.
