Overview

• Security researchers Ian Carroll and Sam Curry accessed a Paradox.ai administrative portal by guessing the default “123456” password.
• An ID enumeration vulnerability then allowed the researchers to retrieve chat logs and contact details from up to 64 million McHire applicants.
• Paradox.ai and McDonald’s deactivated the outdated test account and implemented platform patches under a mandated remediation order.
• Paradox.ai has launched a bug bounty program aimed at uncovering future security weaknesses before they can be exploited.
• Security experts warn that the exposed names, emails and phone numbers could fuel targeted phishing attempts and payroll fraud schemes.