Many companies now utilize artificial intelligence (AI) in their hiring processes. Bots are used to screen resumes, filter candidates, and handle initial communications before human intervention. McDonald’s employs an AI-powered hiring platform called McHire, which is supported by Paradox.ai’s chatbot, Olivia, to streamline its recruitment process.
While AI offers convenience, it also poses data privacy risks. This was highlighted when two security researchers responsibly reported a critical vulnerability that exposed a limited number of candidate records, despite initial reports indicating a larger breach.
Sign up for my FREE CyberGuy Report
Get the latest tech tips, urgent security alerts, and exclusive deals sent directly to your inbox. Plus, receive instant access to the Ultimate Scam Survival Guide by joining my CYBERGUY.COM/NEWSLETTER
What did researchers uncover in McDonald’s AI hiring platform?
On June 30, 2025, security researchers Ian Carroll and Sam Curry identified a vulnerability in a Paradox.ai test account associated with a single client instance, which serves McDonald’s. By exploiting weak and outdated credentials, they gained access to a testing portal and discovered an unauthenticated API endpoint linked to chat interaction records.
They were able to retrieve seven chat logs, five of which contained personal information of U.S.-based candidates such as full names, email addresses, phone numbers, and IP addresses. The remaining two records did not include any personal data. It’s important to note that no complete job applications, Social Security numbers, or financial details were exposed, and sensitive fields remained secure.
Paradox.ai confirms the extent of the security vulnerability
Following the disclosure, Paradox.ai promptly disabled the test account and patched the vulnerable endpoint within hours. The company stated that only five candidate records containing personal information were accessed, and solely by the two researchers who reported the issue ethically.
Paradox.ai clarified that the incident impacted only one of its clients, believed to be McDonald’s, and assured that no other clients or systems were affected. They emphasized that there was no evidence of malicious access or data leakage. The company expressed confidence that the test account was not accessed by any third party besides the security researchers.
What are McDonald’s and Paradox.ai doing in response?
Paradox.ai acknowledged that the legacy test account, established before 2019, should have been decommissioned, and that outdated credentials no longer met current security standards. As a result of the incident, the company took the following actions:
- Revoked the legacy test account credentials
- Applied a patch to address the vulnerable endpoint
- Introduced a bug bounty program
- Established a public contact for security concerns at security@paradox.ai
In a statement, McDonald’s expressed disappointment over the vulnerability from their third-party provider, Paradox.ai. They mandated immediate remediation, which was successfully completed on the same day the issue was reported. McDonald’s emphasized their commitment to cybersecurity and accountability of third-party providers in upholding data protection standards.
Was the exposure really 64 million job applications?
Initial reports suggested that the vulnerability could have compromised up to 64 million job applications. However, there was no confirmation from the researchers, and Paradox.ai’s investigation did not reveal any evidence of large-scale data scraping. The only records accessed were the seven chat samples obtained by the researchers to validate the issue.
Contacted Paradox.ai for comment, a representative stated, “Our public post serves as our official statement, providing context and clarifying inaccuracies in other media reports.” They reiterated that only five candidate records containing personal information were accessed by the researchers, and there was no indication of a widespread breach or data exposure.
Although a genuine vulnerability existed, only a minimal amount of data was accessed due to the researchers’ actions and the vendor’s swift response.
Could this data have been exploited maliciously?
While personal information from five records was accessed, there is no evidence of malicious exploitation by attackers. However, hypothetically, such data could be used for various scams, including impersonating recruiters, sending phishing emails under the pretext of onboarding, or targeting job seekers with fraudulent offers.
The sensitive nature of the exposed data makes it crucial to address, even with the limited scope of the breach.
6 steps to safeguard your personal data on online hiring platforms
The McHire incident underscores the vulnerability of personal information when AI tools are involved in collecting job application data. Implement these six steps to protect your information throughout the job application process:
1. Limit shared personal data
Only provide necessary information to complete the application. Refrain from disclosing sensitive details like Social Security Numbers, bank account information, or full addresses unless certain of the platform’s legitimacy and security.
2. Use an alias email for job applications
Employ an alias email address to receive job-related emails in the primary mailbox. This additional layer helps organize job searches, detect scams promptly, and mitigate damage in case of data mishandling.
3. Verify HTTPS and red flags
Prior to submitting any forms, ensure the website URL starts with https:// and appears secure and professional. Avoid platforms or bots that pose vague or repetitive queries or redirect users without clear justification.
4. Consider a data removal service
Instances like the McHire breach emphasize the ease with which personal details can be exposed during seemingly routine job applications. Data removal services aid in reducing online footprints by scanning numerous data broker sites and requesting information removal, minimizing the risk of data leaks, phishing exploitation, or impersonation.
While no service guarantees complete data removal from the internet, having such a service facilitates continuous monitoring and automation for prolonged data removal from numerous sites.
5. Utilize strong, unique passwords for job search accounts
Avoid reusing passwords from other services when creating accounts on hiring platforms. Weak or reused passwords can make data compromise easier in case of a breach. Consider using a password manager to generate and store secure passwords.
6. Monitor for identity misuse or scam messages
Remain vigilant for suspicious emails or texts post-application. Scammers may leverage leaked data to impersonate recruiters or employers, particularly following high-profile breaches. Watch for fraudulent onboarding requests or messages seeking sensitive information such as bank details or IDs. When in doubt, verify directly with the company.
Kurt’s key takeaway
The incident highlighted a significant yet contained security issue. Thanks to the responsible actions of researchers and Paradox.ai’s prompt response, the exposure was limited to just five candidate records, with no misuse or leakage of personal data. Nonetheless, the event serves as a reminder of the critical importance of data privacy when AI is integrated into hiring processes. Even minor oversights, like an overlooked test account, can jeopardize individuals’ data.
Do you believe companies should provide more transparency when handling your data during the hiring process? Share your thoughts with us by contacting us at Cyberguy.com/Contact
Sign up for my FREE CyberGuy Report
Receive the latest tech tips, urgent security alerts, and exclusive deals directly to your inbox. Plus, access the Ultimate Scam Survival Guide instantly upon joining CYBERGUY.COM/NEWSLETTER
Copyright 2025 CyberGuy.com. All rights reserved.
