A security oversight in McDonald’s AI-powered hiring platform “McHire” was found exposing sensitive applicant data belonging to as many as 64 million job seekers.
Discovered in late June 2025 by security researchers Ian Carroll and Sam Curry, the issue was a default admin login and an insecure direct object reference (IDOR) in an internal API that allowed access to applicants’ chat histories with ‘Olivia’, McHire’s automated recruiter bot.
“The McDonald’s breach confirms that even sophisticated AI systems can be compromised by elementary security oversights,” said Aditi Gupta, senior manager for professional services consulting at Black Duck. “The rush to deploy new technology must not compromise basic security principles. Organizations must prioritize fundamental security measures to ensure uncompromised trust in their software, especially for the increasingly regulated, AI-powered world.”
The flaws, discovered during a security review following Reddit users’ complaints about the bot’s “nonsensical answers,” were promptly resolved by McDonald’s and Paradox.ai (Olivia’s creator) upon disclosure.
Click this link for the original source of this article.
Author: Marty Kaufmann
This content is courtesy of, and owned and copyrighted by, https://www.offthepress.com and its author. This content is made available by use of the public RSS feed offered by the host site and is used for educational purposes only. If you are the author or represent the host site and would like this content removed now and in the future, please contact USSANews.com using the email address in the Contact page found in the website menu.
