Security researchers found that they could access the personal information of 64 million people who had applied for a job at McDonald’s, in large part by logging into the company’s AI job hiring chatbot with the username and password “123456.”
Ian Carroll and Sam Curry wrote in a blog post that “during a cursory security review of a few hours,” they found the password issue and another simple security vulnerability in an internal API, which allowed access to job applicants’ past conversations with the chatbot, called McHire, supplied to McDonald’s by Paradox.ai.
The personal data seen by the researchers included applicants’ names, email addresses, home addresses, and phone numbers.
Paradox.ai wrote in a blog post that it resolved the issues “within a few hours” after the researchers’ report, and that “at no point was candidate information leaked online or made publicly available.”
The researchers’ findings were first reported by Wired.
