McDonald’s “123456” Password Exposes 64 Million Job Applicants’ Data
McDonald’s hiring system was found to be secured by a password so trivial that even a child might guess it—”123456.” Two elementary vulnerabilities granted access to the personal data of over 64 million job applicants for the world’s largest fast-food chain.
McHire, the recruitment platform used by nearly 90% of McDonald’s franchisees, is powered by a chatbot named Olivia, developed by Paradox.ai. Olivia collects personal information, shift preferences, and administers personality assessments. Researchers became intrigued by the system after Reddit users complained that the bot was providing nonsensical replies.
In a superficial investigation lasting only a few hours, researchers uncovered two critical issues. First, the restaurant-facing login interface at https://www.mchire.com/signin
accepted the default credentials “123456.” Second, the internal API suffered from an Insecure Direct Object Reference (IDOR) vulnerability, which allowed attackers to sequentially retrieve other users’ applications by substituting different identifiers.
The analysis began with submitting a job application through https://jobs.mchire.com/
. Olivia prompted the user for an email and phone number, then immediately offered a personality test from Traitify. The questions were reduced to binary choices like “Me” or “Not me” in response to statements such as “I enjoy working overtime.” While it was easy to infer what answers might appeal to employers, the experience felt puzzling.
Progress through the hiring stages soon stalled, likely due to manual review. Attempts to inject commands into Olivia yielded nothing—the bot responded only to pre-scripted phrases. No open candidate-facing APIs were discovered.
The researchers then shifted focus to the platform’s administrative section. While https://www.mchire.com/signin
defaults to corporate McDonald’s login, a discreet link at the bottom labeled “Paradox team members” led to a different login form. Entering “123456” as both username and password unexpectedly granted access to the admin panel.
This turned out to be a test environment—its “employees” were the developers at Paradox.ai. The researchers responded to a test job posting configured in the account to explore the process from the restaurant’s perspective. The employer interface revealed all ongoing conversations with Olivia and allowed intervention at various stages, such as after the personality test.
While reviewing their test application, they noticed an intriguing API call: PUT /api/lead/cem-xhr
. The request appeared to proxy interactions with a Candidate Experience Manager (CEM) system via XHR. The key parameter was lead_id
—the chat identifier—which in their case was approximately 64,185,742. Decreasing the ID by one granted them immediate access to another applicant’s personal data, including contact details in plain text.
By iterating through these identifiers, researchers could access any application within the McHire system—more than 64 million records from McDonald’s hiring platform. The data exposed included names, email addresses, phone numbers, physical addresses, application statuses, shift preferences, and even authorization tokens enabling login as the respective candidates.
Once the magnitude of the breach became clear, the researchers attempted to alert Paradox.ai. However, the company’s security page simply asserted that there was “no need to worry about security” and offered no contact information. They were left to send warnings to random email addresses.
Paradox.ai and McDonald’s responded swiftly: the default credentials were deactivated, the vulnerabilities patched, and the company confirmed the issues had been addressed and that an additional system audit was underway.