A vulnerability in McHire, the AI-powered recruitment platform used by a vast majority of McDonald’s franchisees, exposed the personal information of over 64 million job applicants. The vulnerability allowed unauthorised access to sensitive data, including names, email addresses, phone numbers, and home addresses. The issue was due to an Insecure Direct Object Reference (IDOR) on an internal API and weak default credentials. The incident was swiftly addressed by Paradox.ai and McDonald's, but it highlighted the risks associated with rushing AI deployments without proper security measures.
Source: https://hackread.com/mcdonalds-mchire-vulnerability-job-seekers-data-leak/
TPRM report: https://scoringcyber.rankiteo.com/company/mcdonald's-corporation
"id": "mcd344071125",
"linkid": "mcdonald's-corporation",
"type": "Vulnerability",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '64 million job applicants',
'industry': 'Fast Food',
'location': 'Global',
'name': 'McDonald’s',
'size': 'Large',
'type': 'Corporation'}],
'attack_vector': ['Weak Default Credentials',
'Insecure Direct Object Reference (IDOR)'],
'data_breach': {'number_of_records_exposed': '64 million',
'personally_identifiable_information': ['Names',
'Email Addresses',
'Phone Numbers',
'Home Addresses'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Information',
'Contact Information',
'Authentication Tokens',
'Chat Messages']},
'date_detected': '2025-06-30',
'date_resolved': '2025-07-01',
'description': 'An IDOR vulnerability and weak default credentials in McHire, '
'the AI-powered recruitment platform used by McDonald’s '
'franchisees, led to a massive leak of personal data.',
'impact': {'data_compromised': ['Names',
'Email Addresses',
'Phone Numbers',
'Home Addresses',
'Authentication Tokens',
'Raw Chat Messages'],
'systems_affected': ['McHire Platform', 'Olivia Chatbot']},
'initial_access_broker': {'entry_point': 'Weak Default Credentials'},
'lessons_learned': 'The incident highlights the importance of basic security '
'hygiene and governance around AI systems that collect or '
'process personal data.',
'post_incident_analysis': {'corrective_actions': ['Changed default '
'administrative credentials',
'Resolved IDOR '
'vulnerability'],
'root_causes': ['Weak Default Credentials',
'IDOR Vulnerability']},
'recommendations': ['Implement proper authentication, auditability, and '
'integration into broader risk workflows',
'Treat AI as a regulated asset and implement frameworks '
'that ensure accountability'],
'references': [{'source': 'Reddit'}, {'source': 'Ian Carroll'}],
'response': {'containment_measures': ['Changed default administrative '
'credentials',
'Resolved IDOR vulnerability'],
'remediation_measures': ['Removed default credentials',
'Fixed IDOR vulnerability']},
'title': 'Major Security Flaw in McDonald’s AI Hiring Tool McHire Exposed 64M '
'Job Applications',
'type': 'Data Breach',
'vulnerability_exploited': ['Default Credentials', 'IDOR']}