McDonald's' AI tool McHire's use of the password '123456' put the data of 64 million job applicants at risk.
Data Leak: Questions were raised against a global fast-food chain like McDonald's when a shocking security flaw was found in its AI-based recruitment platform, McHire. This flaw was so serious that it could have exposed the data of approximately 64 million job applicants. The most surprising thing is that an extremely common password, '123456', was set on this system, which is considered a serious negligence in terms of any cyber security standards.
Security Researchers Uncover the Issue
This security breach was revealed by cyber security researchers Ian Carroll and Sam Curry. They found a login option named 'Paradox team members' in McHire's admin interface. They curiously tried the default username and password '123456' and immediately gained access not only to the system's test environment but also to the real admin dashboard.
Candidate Data a Click Away
McHire uses an AI chatbot named 'Olivia', which assists candidates with interviews and screening. But due to this bug, the researchers gained access to sensitive information of millions of applicants such as:
- Full Name
- Email ID
- Phone Number
- Job Application Status
- Chat History
API Flaw Increased the Threat
The researchers found an API endpoint in McHire's internal system where information of any candidate could be extracted by simply entering a predictable parameter. Moreover, some access tokens were also present in the system, with the help of which any person could impersonate an applicant. This was a very serious matter, as not only data theft was possible, but also the possibility of data tampering and fraud was present.
McDonald's and Paradox.ai's Swift Response
As soon as this report came out on June 30, McDonald's and its technology partner Paradox.ai took immediate action and disabled all default login credentials by July 1. Along with this, the concerned API was also shut down and necessary steps were taken for security. Paradox clarified that this access was only done by the researchers and no applicant's data was leaked into the public domain. However, it cannot be denied that if a cybercriminal had sensed this lapse instead of the researchers, it could have been misused on a large scale.
Such a Big Lapse from Such a Big Company?
Such negligence is not expected from a multinational company like McDonald's. On a platform where millions of people are sharing their personal information, such a common password and disregard for basic security rules are a matter of serious concern. This incident can not only affect McDonald's' image, but it is also a warning to the cyber security industry that no matter how high-tech the system is, ignoring basic security measures can be fatal.
AI and Security: The Need for Dual Responsibility
The use of AI-based tools like McHire is increasing rapidly. These systems are created for automation, faster screening, and a better candidate experience. But when they are not properly secured, they can put the information of millions of users at risk. AI needs to be made not only smart, but also secure. Companies need to adopt security strategies like defense in depth in their platforms, implement multi-factor authentication, and disable default passwords.
