A security oversight in McDonald’s AI-powered hiring platform “McHire” was found exposing sensitive applicant data belonging to as many as 64 million job seekers.
Discovered in late June 2025 by security researchers Ian Carroll and Sam Curry, the issue was a default admin login and an insecure direct object reference (IDOR) in an internal API that allowed access to applicants’ chat histories with ‘Olivia’, McHire’s automated recruiter bot.
“The McDonald’s breach confirms that even sophisticated AI systems can be compromised by elementary security oversights,” said Aditi Gupta, senior manager for professional services consulting at Black Duck. “The rush to deploy new technology must not compromise basic security principles. Organizations must prioritize fundamental security measures to ensure uncompromised trust in their software, especially for the increasingly regulated, AI-powered world.”
The flaws, discovered during a security review following Reddit users’ complaints about the bot’s “nonsensical answers,” were promptly resolved by McDonald’s and Paradox.ai (Olivia’s creator) upon disclosure.
