6.40 crore job applicants' data could have been leaked due to McDonald's mistake

Such a shocking negligence has been brought to the fore in an AI tool being utilised by McDonald's, triggering concerns over the privacy of crores of individuals. A grave security bug was discovered in the hiring portal McHire, revealing the sensitive information of around 64 million applicants.

The most surprising aspect of this revelation was that the exceedingly ordinary and foreseeable password '123456' was employed on this system.

Security expert Ian Carroll and Sam Curry uncovered this security flaw. They discovered that there was an option to log in as "Paradox team members" on the admin panel of McHire. In it he attempted the default password and username '123456' and got access not only to the test server, but also the actual admin dashboard.

The McHire platform uses an AI chatbot named Olivia, which handles candidate screening and interaction. But due to this bug, it became possible to access the chat history, name, email, phone number, and application details of the applicants.

The researchers found an internal API endpoint from which information about any candidate could be obtained by entering only one predictable parameter. Not only this, some tokens were also found with the help of which any person could present himself in the identity of a candidate.

As soon as this report came out on June 30, McDonald's and its AI tech partner Paradox.ai took immediate action. By July 1, the default login credentials were disabled, and the related API was secured.

Paradox also clarified that this test account was only accessed by security researchers, and no information was leaked into the public domain.