Jul 10, 2025 12:40:00

McDonald's job site password '123456' exposes 64 million applicants' information

Security experts Ian Carroll and Sam Curry reported that McDonald's job site '

McHire ' had an administrator login page, which could be accessed by entering the password '123456.' They also found that applicant information could be easily viewed from the administrator page.

Would you like an IDOR with that? Leaking 64 million McDonald's job applications
https://ian.sh/mcdonalds

McDonald's has integrated an AI bot called 'Olivia' created by Paradox.ai into its job search website. Carroll and his colleagues were inspired to investigate after reports that the bot was giving them cryptic responses.

Carol and her team first applied for a job at a local McDonald's. Olivia immediately responded, helping them enter their email address, phone number, and available shifts, and then took the next step, a personality test. After the personality test, a human reviewer was required, which meant waiting for a while, and when they tried to test Olivia's capabilities, it only returned similar text, leaving them bored.

So Carroll and his team noticed a login screen for McHire, which was meant for McDonald's employees, that had a link for administrators called 'Paradox team members,' which was likely meant for Paradox.ai.

When Carroll and his colleagues accessed the link and casually entered '123456' as the username and password, they were able to log in immediately. This authentication information '123456' is set by default, and it is believed that this was because the administrator had not changed the settings.

From the administrator page, it was possible to view the conversations between the applicant and Olivia.

Here, Carroll and his team found an API to get applicant information: 'PUT /api/lead/cem-xhr'. This calls some information related to a customer via an

XHR request. One of the main parameters is 'lead_id', and they found that '64,185,742' was assigned to their own conversation. When Carroll and his team tried decreasing this number, they were immediately able to view the personal identifying information of other applicants.

Carroll and his team point out that this resulted in the exposure of more than 64 million applicants' names, email addresses, phone numbers, addresses, and preferred shifts, as well as authentication tokens used to log in to job sites as applicants.

When Carroll and others reported the issue to McDonald's on June 30, 2025, they received a response from the Paradox.ai team about 40 minutes later, and about two hours after the report, they were unable to sign in to the administrator page. The next day, they received additional contact and confirmed that the problem had been resolved.