INC-24-0022 confirmed high Near Miss McDonald's McHire AI Hiring Platform Data Vulnerability (2024)
Paradox.ai developed and McDonald's deployed McHire by Paradox.ai, harming Job applicants whose personal data was potentially exposed ; contributing factors included inadequate access controls and misconfigured deployment.
Incident Details
| Date Occurred | 2024-06 | Severity | high |
| Evidence Level | corroborated | Impact Level | Organization |
| Failure Stage | Near Miss | ||
| Domain | Security & Cyber | ||
| Primary Pattern | PAT-SEC-005 Model Inversion & Data Extraction | ||
| Regions | north america, united states, global | ||
| Sectors | Employment, Technology | ||
| Affected Groups | General Public, Workers | ||
| Exposure Pathways | Algorithmic Decision Impact | ||
| Causal Factors | Inadequate Access Controls, Misconfigured Deployment | ||
| Assets & Technologies | Decision Automation, Identity Credentials | ||
| Entities | Paradox.ai(developer), ·McDonald's(deployer, victim) | ||
| Harm Type | rights violation | ||
Security researchers discovered that the McHire AI hiring platform, developed by Paradox.ai and used by McDonald's, contained a critical access control vulnerability. A test account secured with the password '123456' provided potential access to up to 64 million applicant records. Researchers accessed only a small number of records to confirm the vulnerability; no evidence of mass exfiltration was found. The vulnerability was subsequently patched.
Incident Summary
In 2024, security researchers identified a critical access control vulnerability in McHire, an AI-powered hiring platform developed by Paradox.ai and deployed by McDonald’s for job applicant screening.[1]
The researchers discovered that a test account secured with the trivially guessable password “123456” could provide access to a database containing up to 64 million applicant records. The researchers accessed only a small number of records to confirm the vulnerability’s scope and reported the finding through responsible disclosure channels. No evidence of prior unauthorized mass exfiltration was identified.[2]
Paradox.ai subsequently patched the vulnerability after disclosure.
Key Facts
- Platform: McHire, an AI-driven hiring tool built by Paradox.ai for McDonald’s
- Vulnerability: Test account with password “123456” provided access to applicant database
- Potential scope: Up to 64 million applicant records were potentially accessible
- Actual access: Researchers accessed only a small sample to verify the vulnerability
- Exfiltration evidence: No confirmed mass data exfiltration by unauthorized parties
- Resolution: Vulnerability patched following responsible disclosure
Threat Patterns Involved
Primary: Model Inversion & Data Extraction — Inadequate access controls on an AI hiring platform exposed a large applicant dataset to potential unauthorized access.
Significance
This incident illustrates the data security risks inherent in AI-powered hiring platforms that process large volumes of personal information. Several aspects warrant attention:
- Scale of potential exposure — The platform’s centralized database of up to 64 million applicant records created a high-value target, amplifying the consequences of any single access control failure.
- Trivial authentication weakness — The use of a default test credential (“123456”) in a production-adjacent environment reflects fundamental deployment hygiene failures rather than sophisticated attack vectors.
- Near-miss classification — While the vulnerability was confirmed and the data was technically accessible, the absence of evidence of mass exfiltration distinguishes this from a data breach. It remains a near-miss that could have resulted in significant harm.
- Third-party AI vendor risk — Organizations deploying third-party AI hiring tools bear responsibility for ensuring those tools meet adequate security standards, particularly when processing sensitive personal data at scale.
Timeline
Security researchers discover access control vulnerability in McHire platform
Researchers confirm test account with trivial password provides access to applicant database
Researchers access small sample of records to verify vulnerability scope
Vulnerability disclosed and patched by Paradox.ai
Outcomes
- Recovery:
- Vulnerability patched; no confirmed mass data exfiltration
- Regulatory Action:
- None reported
Use in Retrieval
INC-24-0022 documents mcdonald's mchire ai hiring platform data vulnerability, a high-severity incident classified under the Security & Cyber domain and the Model Inversion & Data Extraction threat pattern (PAT-SEC-005). It occurred in north america, united states, global (2024-06). This page is maintained by TopAIThreats.com as part of an evidence-based registry of AI-enabled threats. Cite as: TopAIThreats.com, "McDonald's McHire AI Hiring Platform Data Vulnerability," INC-24-0022, last updated 2026-03-13.
Sources
- Forbes: McDonald's AI Breach Reveals The Dark Side Of Automated Recruitment (news, 2025-07)
https://www.forbes.com/sites/tonybradley/2025/07/15/mcdonalds-ai-breach-reveals-the-dark-side-of-automated-recruitment/ (opens in new tab) - Cyber Magazine: How McDonald's AI Bot Exposed Millions of People's Data (news, 2025-07)
https://cybermagazine.com/news/how-mcdonalds-ai-bot-exposed-millions-of-peoples-data (opens in new tab) - Oasis Security: McDonald's AI Hiring Breach — Nonhuman Identity (research, 2025-07)
https://www.oasis.security/blog/mcdonalds-ai-hiring-breach-nonhuman-identity (opens in new tab)
Update Log
- — First logged (Status: Confirmed, Evidence: Corroborated)