Subscribe
Saturday, July 19
Tech

McDonald’s AI hiring tool exposed 5 applicants’ data in security breach

By No Comments8 Mins Read


NEWYou can now listen to Fox News articles!

Many companies now rely on AI to handle parts of the hiring process. Bots screen resumes, filter candidates, and manage preliminary communication before a human steps in. McDonald’s utilizes an AI-powered hiring platform called McHire, which is powered by Paradox.ai’s chatbot, Olivia, to streamline its recruitment process.

While AI brings convenience, it also comes with data privacy risks. This became clear when two security researchers responsibly disclosed a critical vulnerability that exposed a small number of candidate records, despite some early reports suggesting a much larger breach.

 Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM/NEWSLETTER

HOW AI CHATBOTS ARE HELPING HACKERS TARGET YOUR BANKING ACCOUNTS

A McDonald’s sign  (Kurt “CyberGuy” Knutsson)

What did researchers find in McDonald’s AI hiring platform?

On June 30, 2025, security researchers Ian Carroll and Sam Curry discovered a vulnerability in a Paradox.ai test account related to a single client instance, which serves McDonald’s. Using weak, outdated credentials, they accessed a testing portal and discovered an unauthenticated API endpoint tied to chat interaction records.

They retrieved seven chat logs, five of which included U.S.-based candidate information such as:

  • Full names
  • Email addresses
  • Phone numbers
  • IP addresses

The remaining two records did not include any personal data. Notably, no full job applications, Social Security numbers, or financial information were exposed, and sensitive fields remained protected.

A McDonald’s sign  (Kurt “CyberGuy” Knutsson)

Paradox.ai confirms the scope of the security vulnerability

Paradox.ai responded swiftly, disabling the test account immediately and patching the exposed endpoint within hours of notification. In a public statement, the company confirmed that only five candidate records containing personal information were accessed, and only by the two researchers who ethically disclosed the issue.

The company claims the incident impacted only one Paradox client, believed to be McDonald’s, and no other Paradox.ai clients or systems were affected. There is no evidence of malicious access or that any data was ever leaked or made publicly available. The company went on to say that, “We are confident that, based on our records, this test account was not accessed by any third party other than the security researchers.”

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

What McDonald’s and Paradox.ai are doing now

Paradox.ai admitted the test account, set up before 2019, should have been decommissioned, and that legacy credentials no longer met current password standards. In response to the incident, the company has:

  • Revoked the legacy test account credentials
  • Deployed a patch to close the vulnerable endpoint
  • Launched a bug bounty program
  • Added a public-facing contact for security concerns at security@paradox.ai

In response, McDonald’s issued a statement:

“We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us. We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.”

A McDonald’s sign    (Kurt “CyberGuy” Knutsson)

Was it really 64 million job applications?

Early reports suggested that the vulnerability could have exposed up to 64 million job applications. However, researchers never confirmed this number and Paradox.ai’s investigation did not find any indication that large-scale data scraping occurred. The only records accessed were the seven chat samples pulled by the researchers to verify the issue.

We reached out to Paradox.ai, and a rep told us: “Our public post should serve as Paradox’s official statement. It provides context, as well as some clarification of inaccuracies published in other media.”  Consistent with their statement, Paradox.ai emphasized that only five candidate records containing personal information were accessed by the security researchers, and there is no evidence of a mass breach or any data being made public.

While the underlying vulnerability was real, only a very limited scope of data was actually accessed, thanks to the actions of the researchers and the vendor’s rapid response.

Could this data have been used maliciously?

While the researchers accessed personal information in five records, there is no evidence that attackers ever exploited this data. However, hypothetically, such data could be used for various scams, such as:

  • Impersonating recruiters to collect more personal information
  • Delivering phishing emails under the guise of onboarding
  • Targeting job seekers with fake job offers

The nature of the exposed data makes it sensitive, even if the scope was limited.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

6 steps to protect your personal data when using online hiring platforms

The McHire breach shows how easily personal information can be exposed when AI tools collect job application data. These six steps can help you protect your information before, during, and after applying.

1. Limit the personal data you share

Only share the information needed to complete the application. Do not provide sensitive details like your Social Security Number, bank account information, or full home address unless you are certain the platform is legitimate and secure.

2. Get an alias email for job applications

An alias email address is an additional email address that can be used to receive emails in the same mailbox as the primary email address. It acts as a forwarding address, directing emails to the primary email address. It also keeps your job search organized, helps you spot scams quickly, and reduces the damage if a company mishandles your data.

See my review of best secure and private email services at Cyberguy.com/Mail

3. Check for HTTPS and red flags

Before you fill out any forms, check that the website URL begins with https:// and that the site looks secure and professional. Avoid platforms or bots that ask vague or repetitive questions or redirect you without a clear reason 

4. Consider a data removal service

Incidents like the McHire breach show how easily personal details can be exposed-even when you think you’re just applying for a job. A data-removal service helps reduce your online footprint by scanning hundreds of data broker sites and requesting the removal of your information. This lowers the risk of your personal data being leaked, exploited in phishing scams, or used for impersonation.

While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com/Delete

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com/FreeScan

5. Use strong, unique passwords for job search accounts

If you create accounts on hiring platforms, avoid reusing passwords from other services. A weak or reused password can make it easier for attackers to compromise your data if a site is breached. Consider using a password manager to generate and store secure passwords.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com/Passwords

6. Monitor for signs of identity misuse or scam messages

After applying for jobs, stay alert for emails or texts that seem “off.” Scammers often use leaked data to impersonate recruiters or employers, especially after high-profile breaches. Watch for fake onboarding requests or messages asking for sensitive information like bank details or IDs. When in doubt, verify directly with the company.

CLICK HERE TO GET THE FOX NEWS APP

Kurt’s key takeaway

This incident was a serious but limited security issue. Thanks to responsible disclosure by researchers and Paradox.ai’s rapid response, the exposure was contained to just five candidate records, and no personal data was leaked or misused. That said, the event is a reminder: when AI is involved in hiring, data privacy must remain a top concern. Even small oversights, like a forgotten test account, can put real people’s data at risk.

Do you think more transparency is needed from companies when your data is involved in the hiring process? Let us know by writing us at Cyberguy.com/Contact

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM/NEWSLETTER 

Copyright 2025 CyberGuy.com.  All rights reserved. 

Kurt “CyberGuy” Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on “FOX & Friends.” Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.



Source link

Share.

Related Posts

Leave A Reply

News

Company

Services

© 2025 The Politics Designed by The Politics.
Exit mobile version