McDonald's AI Recruitment Chatbot Exposes 64 Million Records With Password '123456'

The poor security of McDonald AI hiring chatbot "Olivia" was found to have exposed tens of millions of job applicant personal information. The AI system promoted as a symbol of recruiting innovation was rendered powerless by unimaginably basic vulnerabilities -- "123456" default passwords, inactive test accounts, and absence of multi-factor authentication. This incident starkly demonstrates how dangerous the expansion of AI-based talent selection can become from a data security perspective. July 2025: the AI hiring chatbot "Olivia" platform used in McDonald restaurants in the US and worldwide was found to have approximately 64 million applicant personal information accessible to anyone due to poor security settings. The chatbot was developed by US software company Paradox.ai, operating through "McHire.com" to interact with applicants and collect resumes, contact information, and other key data. Security vulnerabilities found: (1) Default passwords -- administrative accounts protected only by "123456" and similarly trivial passwords; (2) Test accounts active since 2019 -- Paradox.ai development test accounts created during initial deployment remained active with high-privilege access for 6 years; (3) No multi-factor authentication -- accounts without 2FA could be accessed with just a password; (4) No rate limiting -- brute force attacks to guess passwords were not blocked. The exposed data: applicant names, email addresses, phone numbers, partial employment history, and availability information. The broader AI hiring security lesson: AI hiring platforms aggregate job seeker data across thousands of employers and millions of applicants -- creating data concentrations that are high-value targets; the security standards applied to these platforms have historically not matched the sensitivity of the data they hold.