HISPI Project Cerebellum HISPI PROJECT CEREBELLUM

McDonald's McHire AI Recruitment Platform Reportedly Exposed Data of 64 Million Applicants via Default Login and API Vulnerability

June 30, 2025

Researchers Ian Carroll and Sam Curry reported a potential security vulnerability in McDonald's AI-powered hiring tool, McHire (utilizing Paradox.ai's 'Olivia' chatbot). Allegedly, the tool could be accessed via default admin credentials and an insecure direct object reference in an internal API, potentially exposing applicants' personally identifiable information and chat histories. McDonald's and Paradox reportedly rectified these issues swiftly after disclosure; however, Paradox stated that only five records were accessed.

This incident underscores the importance of trustworthy AI and robust governance, such as HISPI Project Cerebellum's TAIM (Govern) framework. Join us in promoting harm prevention and guardrails for AI by learning more at JOIN US.

Matched TAIM controls

Suggested mapping from embedding similarity (not a formal assessment). Browse all TAIM controls

Alleged deployer
mcdonald's, paradox.ai
Alleged developer
mcdonald's, paradox.ai
Alleged harmed parties
mcdonald's-applicants

Source

Data from the AI Incident Database (AIID). Cite this incident: https://incidentdatabase.ai/cite/1179

Data source

Incident data is from the AI Incident Database (AIID).

When citing the database as a whole, please use:

McGregor, S. (2021) Preventing Repeated Real World AI Failures by Cataloging Incidents: The AI Incident Database. In Proceedings of the Thirty-Third Annual Conference on Innovative Applications of Artificial Intelligence (IAAI-21). Virtual Conference.

Pre-print on arXiv · Database snapshots & citation guide

We use weekly snapshots of the AIID for stable reference. For the official suggested citation of a specific incident, use the “Cite this incident” link on each incident page.