Overview

• An insecure direct object reference flaw and a default “123456” credential in Paradox.ai’s McHire chatbot exposed up to 64 million applicants’ chat logs and contact details.
• Researchers Ian Carroll and Sam Curry reported the vulnerabilities on June 30, gained administrator access within minutes and alerted McDonald’s and Paradox.ai the same day.
• Paradox.ai patched the weak credentials and IDOR vulnerability, disabled the legacy test account and confirmed no unauthorized parties beyond the researchers accessed the data.
• Paradox.ai instituted a bug bounty program to uncover future security gaps and McDonald’s mandated stricter third-party oversight of its AI recruiting platform.
• Cybersecurity experts warn the incident heightens phishing risks for job seekers and underscores the need for routine security audits of AI-driven hiring tools.