McDonald's AI hiring chatbot leaked data of 64 million applicants using "123456" as the password
McDonald's AI chatbot leak exposed applicant data due to '123456' password flaw.

In July 2025, a major security incident involving McDonald's AI hiring chatbot unveiled the personal details of approximately 64 million job applicants. The breach occurred because the chatbot, developed by Paradox.ai, used the weak default password '123456'. Security researcher Ian Carroll was able to access an administrative account using this password, uncovering the raw data from interactions the AI chatbot had with the applicants.
Carroll identified the flaw by examining the code on the Paradox.ai site and successfully accessing the administrative systems designed for overseeing applicant information. This data included not just basics like names, phone numbers, and email addresses, but also sensitive employment-related information such as applicant shift preferences and authentication tokens. This breach highlights the ongoing issues with password security in AI systems.
The AI chatbot, named Olivia, handles job interviews for nearly 90 percent of McDonald's franchises, collecting and processing applicant data before performing basic personality evaluations. Carroll's examination further revealed that altering the API's main parameter in an XHR request enabled him access to other applicants' chat histories.
Despite noticing and flagging the security flaw, Carroll found that Paradox.ai lacked an obvious security disclosure contact and only had a minimalist security assurance page on their website. Only after Carroll contacted random people in the company did McDonald's and Paradox confirm that the issue had been resolved by early July.
This incident stirred discussions about the limitations and risks of integrating AI technologies, such as McDonald's planned use of AI for administration and order accuracy, highlighting a broader trend in the fast-food industry towards using machine learning and automation.
Sources: TechSpot, Ian Carroll's Blog, Paradox.ai