A security lapse in McDonald’s job application system could have exposed the personal details of around 64 million people — all because someone used the password “123456″, according to Tom’s Hardware.
“That’s amazing. We’ve got the same combination on our luggage!”
Researchers Ian Carroll and Sam Curry discovered serious flaws in McHire, the chatbot developed by Paradox.ai and used by most McDonald’s franchises for recruitment. While poking around, they found that internal accounts used by Paradox staff were protected by one of the most commonly guessed passwords in the world: “123456.”
The report says Carroll compared it to his own teenage mistake of using “1234” on a forum account. “That’s slightly better than the password I used, I guess,” he wrote, “but not enough to justify its use decades after most people realized that using weak passwords is a bad idea.”
Using that flimsy credential, the researchers gained administrative access — though initially only to a test restaurant account tied to Paradox employees. That let them explore the system, but didn’t prove any real-world risk. The real issue came when they found a second vulnerability: an insecure direct object reference (IDOR) flaw in the McHire API.
That bug let them pull sensitive data from any chat-based application submitted to McDonald’s — names, email addresses, phone numbers, home addresses, application details, and even login tokens that allowed full access to user chats and potentially more.
Paradox once boasted that 90% of McDonald’s franchises relied on McHire for hiring, though that claim has since quietly vanished from its blog.
To put things in context: Paradox raised $200 million in 2020. McDonald’s is worth over $200 billion. And yet a system handling tens of millions of people’s private information was essentially protected by the digital equivalent of a sticky note on a monitor.
The only silver lining? Carroll and Curry say the vulnerabilities were patched within 24 hours of being reported. With any luck, McDonald’s and Paradox will aim for better cybersecurity hygiene going forward — maybe even something a little more secure than “123456.”
Loading recommendations…
