It sounds like a joke — but it’s not.
Two cybersecurity researchers typed in “admin” as the username and “123456” as the password. On their second attempt, they gained full access to McDonald’s AI recruitment system, exposing the personal data of 64 million unsuspecting job applicants.
Meet Olivia, the AI Behind the Breach
At the heart of this massive data mishap is Olivia, an AI chatbot developed by Paradox.ai. Olivia is used by McDonald’s as part of its hiring platform, McHire, where applicants submit resumes, take personality tests, and chat with the bot during the recruitment process.
Security experts Ian Carroll and Sam Curry stumbled upon the flaw during a casual visit to the site. They noticed a login link intended for Paradox.ai staff — and, out of curiosity, tried the most basic credentials imaginable.
To their shock, it worked.
One ID to Rule Them All
Once inside, the researchers discovered that each job application was tied to a sequential ID number. By simply changing the number in the URL, they could access any candidate’s profile — complete with names, emails, phone numbers, and chat history with Olivia.
No special tools. No hacking skills. Just a web browser and the digital equivalent of a sticky note password.
“This is pure gold for scammers,” said Carroll, noting that the treasure trove of exposed data could easily be used for phishing schemes or fake job offers.
64 Million Files and Zero Common Sense
Let’s be clear: 64 million resumes were potentially accessible because of a login system weaker than a default Wi-Fi password. While no financial data or ID documents were exposed, the personal information was more than enough to pose a serious privacy risk to anyone who ever applied to McDonald’s through McHire.
“It’s more common than people think,” Carroll commented. “But seeing a password like that — with no extra protection — on a system holding millions of personal records is just grotesque.”
