A simple mistake that exposed millions of candidate data

The Past June 30, 2025, cybersecurity researchers Ian Carroll and Sam Curry discovered a serious vulnerability in “Olivia”, the McDonald's hiring chatbot, developed by Paradox.ai and hosted on Mchire.com.

With so only two login attempts using common credentials (user “admin” and password “123456”), gained administrator access in less than 30 minutes, exposing data from job applications from up to 64 million people.

What information was leaked?

  • The problem was Resolved the same day
  • Full names
  • E-mails
  • Telephone numbers
  • Chat history between candidates and the AI assistant

This flaw allowed attackers to search for candidate IDs and recover entire conversations, compromising their privacy and security.

Who is responsible?

The source of the vulnerability was in Paradox.ai, the chatbot provider. McDonald's issued a statement calling the incident “unacceptable” and said that:

  • The problem was Resolved the same day
  • Paradox.ai implemented a Bug Bounty program to prevent similar failures in the future.

Why is this incident so serious

  1. Exposure to phishing: Leaked data can be used in recruiter impersonation campaigns to deceive candidates and steal more information or money.
  2. Risks in AI systems: Shows the lack of basic security controls in automated contracting tools.
  3. Possible regulatory sanctions: Managing millions of records implies strict compliance with regulations such as GDPR or CCPA, and this leak could open investigations.

Lessons for companies and candidates

🔐For organizations

  1. Implement MFA on all administration and VPN accesses
  2. Perform regular credential audits and delete inactive accounts
  3. Simulate attacks using Threat Led Penetration Testing (TLPT) to discover flaws before cybercriminals
  4. Deploy Bug Bounty programs for AI-based solutions
  5. Require Third-party cybersecurity SLA, including code reviews and intrusion tests

🧑 ‍For candidates

  1. Be wary of messages from recruiters asking for payments or sensitive data
  2. Use different emails for job applications
  3. Enable two-factor authentication in your email and employment accounts
  4. Always check the domain and sender of the emails received
  5. Report any scam or impersonation attempts

How can Apollo Cybersecurity help you?

In Apollo Cybersecurity we help your organization to:

  • Perform TLPT specific to environments with AI and chatbots
  • Designing architectures Zero Trust and Secure Credential Management
  • Implement a 24/7 SOC for proactive detection Of threats
  • Strengthen the third-party risk management and vendor contracts

Request your free audit and resilience plan today

Prev Post
Next Post

Any questions?
We're happy to help!

CONTACT US TODAY!
info@apolocybersecurity.com
Data Controller: Apolo Analytics SL
Purpose: To process your request and respond to your message.
Legal Basis: Consent of the interested party upon submitting the form.
Recipients: Data will not be transferred to third parties, except under legal obligation.
Rights: You may exercise your rights of access, rectification, and deletion, among others, by sending an email to secretaria@apolocybersecurity.Com.
Additionall information: You can view the full information on our Privacy Policy.

Thank you!

Your message has been successfully received.
Oops! Something went wrong when submitting the form.
We are waiting for you!
Schedule a call
Project photo
send us an email
Project photo
+34 937948378
Project photo
Carrer de Sant Joan de la Salle 42, Barcelona, spain
Project photo
FAQScontactTERMS AND CONDITIONSWork with Us
Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
LEGAL NOTICEPRIVACY POLICYCookies
Copyright © 2025 Apollo Cybersecurity