in the 2025 mcdonald’s ai hiring platform case, what key mistake exposed millions of applicants’ data?

The key mistake was leaving a default administrator account on the McHire AI hiring platform secured with the extremely weak password “123456” , which allowed access into the system and exposed millions of job applicants’ records.

What Actually Went Wrong

Security researchers discovered that an admin/test account on McDonald’s AI- driven McHire system (run by Paradox.ai and fronted by the “Olivia” chatbot) was still active with default, guessable credentials using “123456” as the password. Once logged in through this weak account, they could see live hiring data tied to tens of millions of applications, including names, email addresses, phone numbers, and chat transcripts.

Why It Exposed Millions

• The default admin-style credentials (“123456” username/password combination) granted broad backend access instead of being disabled or hardened before going live.

• Inside the system, an additional flaw (an insecure direct object reference, or IDOR) let the researchers change applicant ID numbers in requests and pull up other people’s applications, making as many as about 64 million records theoretically accessible.

The Core “Key Mistake” In One Line

The central error in the 2025 McDonald’s AI hiring platform case was failing to change or disable a default admin account protected by the trivial password “123456,” which opened the door to mass exposure of applicant data.