Paradox.ai Data Breach: “123456” Password & Nexus Stealer Expose Fortune 500 Clients
A recent data breach has exposed a critical vulnerability in the systems of Paradox.ai, the developer behind AI-powered chatbots used in recruitment processes at McDonald’s and other Fortune 500 corporations. The cause of this widespread leak? A painfully simple mistake—a password so weak it bordered on the absurd.
The saga began when security researchers Ian Carroll and Sam Curry gained access to the backend of McHire.com, a platform that utilizes Paradox.ai’s “Olivia” chatbot to process job applications. Their entry point was a dormant test account protected by the infamous password “123456.” This flimsy credential opened the door to a trove of 64 million records, including names, phone numbers, and email addresses of job seekers.
Paradox acknowledged the legitimacy of the test account, claiming it had been inactive since 2019 and was slated for deletion. The company asserted that only the researchers had accessed the system and emphasized that the exposed data involved only chatbot interactions, not actual job applications.
But the crisis didn’t end there. An independent analysis of leaked password data revealed that in June 2025, a device belonging to a Vietnamese employee of Paradox was infected with the Nexus Stealer malware. This malicious software specializes in pilfering credentials and authentication data, including cookies and manually entered logins. Once compromised, the employee’s data was made publicly accessible and indexed by breach-tracking services.
The stolen credentials included hundreds of trivial, repetitive passwords—many differing only in their final characters. Alarmingly, some were used to access client systems for major corporations like Aramark, Lockheed Martin, Lowe’s, and Pepsi. One such password, a mere seven-digit number, was reused across multiple enterprise systems—easily crackable in seconds with modern brute-force tools.
Particularly troubling is the fact that the breach included logins to the single sign-on platform paradoxai.okta.com, in use since 2020 and equipped with two-factor authentication. While Paradox maintains that most compromised passwords are now obsolete, some still provided access to critical systems such as Okta and Atlassian—whose authentication tokens were valid until December 2025.
Beyond credentials, the breach exposed session cookies, potentially enabling attackers to bypass multifactor authentication altogether. In several instances, malware also installed backdoors, allowing persistent remote access. One such compromised device—belonging to a Paradox developer in Vietnam—was later found listed for sale online.
Paradox insists the incident did not impact other customer accounts and claims that security protocols for contractors have been significantly tightened since a 2019 audit. Yet this raises uncomfortable questions: how did an account secured with “123456” survive an audit in a company certified to ISO 27001 and SOC 2 Type II standards? The company explained that in 2019, external contractors were not held to the same security standards as internal staff.
Further investigation revealed that another Vietnamese employee was infected with similar malware in late 2024. Among the stolen data were GitHub credentials and browser histories suggesting the infection likely occurred through pirated movie downloads—a common infection vector masked as codec installations.
This episode serves as a stark reminder of the fragility of corporate cybersecurity—even within firms that claim rigorous adherence to industry standards. One forgotten test account and one compromised laptop were all it took to potentially jeopardize the data of numerous global enterprises.
