Latest news with #IanCarroll
Forbes
11 hours ago
- Business
- Forbes
McDonald's AI Breach Reveals The Dark Side Of Automated Recruitment
Millions of McDonald's job applicants had their personal data exposed after basic security failures ... More left the company's AI hiring system wide open. If you've ever wondered what could go wrong with an AI-powered hiring system, McDonald's just served up a cautionary tale. This week, security researchers revealed that the company's McHire website—a recruitment platform used by over 90% of McDonald's franchisees—left the personal information of millions of job applicants exposed to anyone with a browser and a little curiosity. The culprit: Olivia, an AI chatbot from designed to handle job applications, collect personal information, and even conduct personality tests. On paper, it's a vision of modern efficiency. In reality, the system was wide open due to security flaws so basic they'd be comical if the consequences weren't so serious. What Went Wrong? It didn't take a sophisticated hacker to find the holes. Researchers Ian Carroll and Sam Curry started investigating after Reddit users complained that Olivia gave nonsensical responses during the application process. After failing to find more complex vulnerabilities, the pair simply tried logging into the site's backend using '123456' for both the username and password. In less than half an hour, they had access to nearly every applicant's personal data—names, email addresses, phone numbers, and complete chat histories—with no multifactor authentication required. Worse still, the researchers discovered that anyone could access records just by tweaking the ID numbers in the URL, exposing over 64 million unique applicant profiles. One compromised account had not even been used since 2019, yet remained active and linked to live data. As Carroll told Wired, 'I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more.' Why Security Fundamentals Still Matter Experts agree that the real shock isn't the technology itself—it's the lack of security basics that made the breach possible. As Aditi Gupta of Black Duck noted, the McDonald's incident was less a case of advanced hacking and more a 'series of critical failures,' ranging from unchanged default credentials and inactive accounts left open for years, to missing access controls and weak monitoring. The result: an old admin account that hadn't been touched since 2019 was all it took to unlock a massive trove of personal data. For many in the industry, this raises bigger questions. Randolph Barr, CISO at Cequence Security, points out that the use of weak, guessable credentials like '123456' in a live production system is not just a technical slip—it signals deeper problems with security culture and governance. When basic measures like credential management, access controls, and even multi-factor authentication are missing, the entire security posture comes into question. If a security professional can spot these flaws in minutes, Barr says, 'bad actors absolutely will—and they'll be encouraged to dig deeper for other easy wins.' And this isn't just about AI or McDonald's. Security missteps of this kind tend to follow each new 'game-changing' technology. As PointGuard AI's William Leichter observes, organizations often rush to deploy the latest tools, driven by hype and immediate gains, while seasoned security professionals get sidelined. It happened with cloud, and now, he says, 'it's AI's turn: tools are being rolled out hastily, with immature controls and sloppy practices.' Automation and the Illusion of Security McDonald's isn't alone in betting big on AI to speed up hiring and make life easier for franchisees and HR teams. Automated chatbots like Olivia are supposed to streamline applications, assess candidates, and remove human bottlenecks. But as this incident shows, convenience can't come at the expense of basic digital hygiene. Simple safeguards—unique credentials, robust authentication, and proper access controls—were missing entirely. The rush to digitize and automate HR brings with it a false sense of security. When sensitive data is managed by machines, it's easy to assume the system is secure. But technology is only as strong as the practices behind it. Lessons for the Future If there's a lesson here, it's that technology should never substitute for common sense. Automated hiring systems, especially those powered by AI, are only as secure as the most basic controls. The ease with which researchers accessed the McHire backend shows that old problems—default passwords, missing MFA—are still some of the biggest threats, even in the age of chatbots. Companies embracing automation need to build security into the foundations, not as an afterthought. And applicants should remember that behind every 'friendly' AI bot is a company making choices about how to protect—or neglect—their privacy. The Price of Convenience The McDonald's McHire data leak is a warning to every company automating hiring, and to every job seeker trusting a bot with their future. Technology can streamline the process, but it should never circumvent or subvert security. The real world isn't as neat as a chatbot's conversation tree. If we aren't careful, the push for convenience will keep putting real people at risk.
Forbes
2 days ago
- Business
- Forbes
McDonald's ‘123456' Password Scare Reframes Responsible AI Debate
A security flaw on the McHire platform jeopardized 64 million applicants' data. Set aside aspirational AI rhetoric, alarmist consultant pitches and techno-babble. AI success requires candor about incentives, incompetence and indifference. McDonald's learned that harsh lesson (in a relatively costless way) when two security researchers used '123456' as the username and password to astonishingly fully access the Golden Arches hiring platform — and over 64 million applicants' personal data. The noble cyber sleuths, Ian Carroll and Sam Curry, reported the flaw to McDonald's and its AI vendor, Paradox, for swift technical resolution. If nefarious actors found the lax vulnerability, McDonald's leadership would be mired in a costly, public crisis. So, will the fast-food goliath learn from this 'near-miss' to improve tech governance? Will others tap this averted disaster for overdue responsible AI introspection and action? It depends. Widespread and hushed AI deployment problems need thornier fixes than many boards and senior executives will acknowledge, admit or address. Super-sized opportunities Workplace crises can be proactively prevented (or eventually explained) by tackling incentives, incompetence and indifference with stewardship, capability and care. The Golden Arches 'near miss' exemplifies that and the timing couldn't be better. While 88% of executives surveyed by PwC expect agentic AI spending increases this year, many struggle to articulate how AI will drive competitive advantage. Nearly 70% indicated that still half or fewer of their workforce interacts with agents daily. Indiscriminately 'throwing money' at issues can create more problems than it solves. Here's a better start. Dissect incentives. Talent, culture and bureaucratic entrenchment stymie big firms desperate to innovate. Nimble, bootstrapped startups tantalizingly fill those voids, but crave revenue and reputation. Stalled AI implementations only fuel that magnetism. Typically, the larger organization the makes headlines when deals falter. How many leadership teams meaningfully assess third-party risk from an incentives perspective? Or do expedited results more strongly appeal to their own compensation and prestige hunger? Is anyone seriously assessing which party has more (or less) to lose? Nearly 95% of McDonald's 43,000 restaurants are franchised. With over 2 million workers and aggressive growth aims, automating job applications is a logical AI efficiency move. Its selected vendor, whose tagline boasts 'meet the AI assistant for all things hiring' seemed like a natural partner. At what hidden costs? Successful strategic alliances require an 'outside-in' look at a counterparty's interests. Three of the seven-member Paradox board are private equity partners, including chair Mike Gregoire. In Startups Declassified, acclaimed business school professor and tech thought leader Steve Andriole emphasizes flagship revenue's valuation criticality, 'There's no more important start-up activity than sales — especially important are the 'lighthouse' customers willing to testify to the power and greatness of products and services. Logo power is [vital] to start-ups.' 'Remember that no one wants to buy start-ups unless the company has killer intellectual property or lists of recurring customers. Profitable recurring revenue is nirvana. Exits occur when a start-up becomes empirically successful,' he continued. Assess skill and will. Despite its global presence, digital strategy imperatives and daily transaction volume, the 2025 McDonald's proxy reveals three common AI-era oversight shortfalls: inadequate boardroom cyber expertise, no technology committee and cybersecurity relegated to audit oversight. Those are serious signaling problems. In fact, the word 'cybersecurity' only appears nine times across the 100-page filing. In the director qualifications section, information technology is grouped with cybersecurity and vaguely defined 'contributes to an understanding of information technology capabilities, cloud computing, scalable data analytics and risks associated with cybersecurity matters.' Just four of the eleven directors are tagged as such. While three of those four worked in the tech sector, none has any credible IT or cybersecurity expertise. Intriguingly, not one of the four, board member and former Deloitte CEO Cathy Engelbert has the best experience to push stronger governance. Is she, now the prominent WNBA league commissioner, willing to take such contentious risk? To start, she can tap longtime McDonald's CFO Ian Borden and auditors EY for guidance and ideas on bolstering board composition. Nearly 95% of McDonald's 43,000 restaurants worldwide are franchised. When tech issues arise, fingers, by default, point at the IT team. However, responsible AI design and deployment truly require cross-functional leadership commitment. McDonald's CEO Chris Kempczinski routinely touts a 4D strategy (digital, delivery, drive-thru and development) and characterizes the fast-food frontrunner's tech edge as 'unmatched.' That bravado brings massive expectations and he can't be happy with the '123456' password distraction. With annual compensation approaching $20 million annually, he also has a responsible AI obligation to current and future McDonald's workers making, on average, 1,014 times less — as well as the 40,000 franchisees. Valerie Ashbaugh, McDonald's commercial products and platform SVP, rotates into the US CIO seat next month. The timing is ideal to institute policies, procedures and accountability for stronger third-party IT access controls. Alan Robertson, UK ambassador to the Global Council for Responsible AI, astutely notes, 'The damage is done — not by hackers, but by sheer negligence. McDonald's has pinned the issue on Paradox. Paradox says they fixed it and have since launched a bug bounty program. It raises bigger questions for all of us. Who audits the third-party vendors we automate hiring with? Where does the liability sit when trust is breached at this scale? And what does 'responsible AI' even mean when basic cybersecurity hygiene isn't in place? We talk about ethics — but sometimes it's just about setting a password.' That's prototypical indifference — especially when the access key is "123456." Likewise, HR leaders have a chance to meaningfully shape AI rollouts. 'HR needs to resist the urge to 'just go along.' There will be many HR leaders who simply wait for the various software lines they current license to add AI functionality. To do so would be a mistake. AI will become a critical part of the employee experience and HR should have a hand in that,' advises AthenaOnline SVP of customer solutions Mark Jesty. At McDonald's, EVP and global chief people officer Tiffanie Boyd holds that golden opportunity to elevate responsible AI on the board and c-suite agendas. Will she? Responsibility knocks The McHire 'near-miss' highlights how boards and c-suites can remain dangerously unprepared for AI design, deployment and oversight. Strategy speed and tech wizardry must never be at stewardship's cost. "If you're deploying AI without basic security hygiene, you're not innovating. You're endangering people. Security is not optional,' implores CEO Ivan Rahman. Who's opting for drive-thru AI governance?
Economic Times
4 days ago
- Business
- Economic Times
McDonald's in hot water after AI tool with laughably weak password ‘123456' gets hacked, data of 64M job seekers exposed
McDonald's Faces Scrutiny After AI Hiring Tool Breach Exposes Data of 64 Million Applicants Live Events What Are Experts Saying About the Incident? Rapid Response by McDonald's and Could the Exposed Data Be Used for Attacks? FAQs (You can now subscribe to our (You can now subscribe to our Economic Times WhatsApp channel McDonald's is facing major scrutiny after a shocking security lapse exposed sensitive data from as many as 64 million job seekers, all because of a default admin password that was as weak as it gets: '123456,' as per a breach was discovered in late June by security researchers Ian Carroll and Sam Curry during a review of McHire, McDonald's AI-driven hiring platform, as per the CSO Online report. The tool, which uses an automated chatbot named Olivia to screen and engage applicants, had a hidden flaw that made it easy for anyone to access applicants' chat histories with the bot, according to the to Carroll, the team noticed a login option labeled 'Paradox team members' on McHire's admin interface, which led them to try using the default username and password combination '123456,' and they were immediately logged in, not only to a test environment but also to real administrative dashboards containing live data, as reported by CSO READ: AI is watching, layoffs are rising — inside the terrifying new era of office paranoia Carroll said, 'Although the app tries to force single sign-on (SSO) for McDonald's, there is a smaller link for 'Paradox team members' that caught our eye,' as quoted in the report. Carroll revealed that, 'Without much thought, we entered '123456' as the password and were surprised to see we were immediately logged in!,' as quoted in the they got inside, they found something even more troubling: that an internal API endpoint allowed access to fetch applicant data by using a predictable parameter, according to the report. This insecure direct object reference, or IDOR, meant they could view personal data of the applicant, chat transcripts with Olivia, names, email addresses, phone numbers, job application details, and even tokens that could let someone impersonate a candidate, as reported by CSO issue was discovered after Reddit users began complaining that Olivia was giving strange or nonsensical responses, which led the researchers to take a closer look, according to the report. However, the issue of Olivia was immediately resolved by McDonald's and (Olivia's creator) upon disclosure, reported CSO READ: Dogecoin and Shiba Inu skyrocket as meme coins explode during crypto market boom A senior manager for professional services consulting at Black Duck, Aditi Gupta, pointed out that, 'The McDonald's breach confirms that even sophisticated AI systems can be compromised by elementary security oversights,' and added, 'The rush to deploy new technology must not compromise basic security principles. Organizations must prioritize fundamental security measures to ensure uncompromised trust in their software, especially for the increasingly regulated, AI-powered world,' as quoted in the Effect's CEO Evan Dornbush highlighted that, 'This incident is a prime example of what happens when organizations deploy technology without an understanding of how it works or how it can be operated by untrusted users,' adding that, 'With AI systems handling millions of sensitive data points, organizations must invest in understanding and mitigating pre-emergent threats, or they'll find themselves playing catch-up, with their customers' trust on the line,' as quoted by the CSO Online after the disclosure on June 30, and McDonald's acknowledged the vulnerability quickly, and by July 1, default credentials were disabled and the endpoint was secured, according to the report. also said that it will conduct further security audits, reported CSO a Paradox staff member wrote on its website, 'We are confident that, based on our records, this test account was not accessed by any third party other than the security researchers,' and emphasised that 'at no point was candidate information leaked online or made publicly available. Five candidates in total had information viewed because of this incident, and it was only viewed by the security researchers. This incident impacted one organization — no other Paradox clients were impacted,' as quoted by the CSO Online the chief information security officer at Cequence Security, Randolph Barr warned that, 'Even though there's no indication the data has been used maliciously yet, the scale and sensitivity of the exposure could fuel targeted phishing, smishing/vishing, and even social engineering campaigns,' and added that, 'Combined with AI tooling, attackers could craft incredibly personalized and convincing threats,' as quoted by CSO chat logs, contact details, job application responses, shift preferences, personality test results, and impersonation tokens were used a publicly visible login labeled 'Paradox team members' and guessed the default password '123456,' which gave them immediate access.
Time of India
4 days ago
- Business
- Time of India
McDonald's in hot water after AI tool with laughably weak password ‘123456' gets hacked, data of 64M job seekers exposed
McDonald's is facing major scrutiny after a shocking security lapse exposed sensitive data from as many as 64 million job seekers, all because of a default admin password that was as weak as it gets: '123456,' as per a report. McDonald's Faces Scrutiny After AI Hiring Tool Breach Exposes Data of 64 Million Applicants The breach was discovered in late June by security researchers Ian Carroll and Sam Curry during a review of McHire, McDonald's AI-driven hiring platform, as per the CSO Online report. The tool, which uses an automated chatbot named Olivia to screen and engage applicants, had a hidden flaw that made it easy for anyone to access applicants' chat histories with the bot, according to the report. According to Carroll, the team noticed a login option labeled 'Paradox team members' on McHire's admin interface, which led them to try using the default username and password combination '123456,' and they were immediately logged in, not only to a test environment but also to real administrative dashboards containing live data, as reported by CSO online. by Taboola by Taboola Sponsored Links Sponsored Links Promoted Links Promoted Links You May Like Join new Free to Play WWII MMO War Thunder War Thunder Play Now Undo ALSO READ: AI is watching, layoffs are rising — inside the terrifying new era of office paranoia Carroll said, 'Although the app tries to force single sign-on (SSO) for McDonald's, there is a smaller link for 'Paradox team members' that caught our eye,' as quoted in the report. Carroll revealed that, 'Without much thought, we entered '123456' as the password and were surprised to see we were immediately logged in!,' as quoted in the report. Live Events Once they got inside, they found something even more troubling: that an internal API endpoint allowed access to fetch applicant data by using a predictable parameter, according to the report. This insecure direct object reference, or IDOR, meant they could view personal data of the applicant, chat transcripts with Olivia, names, email addresses, phone numbers, job application details, and even tokens that could let someone impersonate a candidate, as reported by CSO Online. The issue was discovered after Reddit users began complaining that Olivia was giving strange or nonsensical responses, which led the researchers to take a closer look, according to the report. However, the issue of Olivia was immediately resolved by McDonald's and (Olivia's creator) upon disclosure, reported CSO Online. ALSO READ: Dogecoin and Shiba Inu skyrocket as meme coins explode during crypto market boom What Are Experts Saying About the Incident? A senior manager for professional services consulting at Black Duck, Aditi Gupta, pointed out that, 'The McDonald's breach confirms that even sophisticated AI systems can be compromised by elementary security oversights,' and added, 'The rush to deploy new technology must not compromise basic security principles. Organizations must prioritize fundamental security measures to ensure uncompromised trust in their software, especially for the increasingly regulated, AI-powered world,' as quoted in the report. Desired Effect's CEO Evan Dornbush highlighted that, 'This incident is a prime example of what happens when organizations deploy technology without an understanding of how it works or how it can be operated by untrusted users,' adding that, 'With AI systems handling millions of sensitive data points, organizations must invest in understanding and mitigating pre-emergent threats, or they'll find themselves playing catch-up, with their customers' trust on the line,' as quoted by the CSO Online report. Rapid Response by McDonald's and However, after the disclosure on June 30, and McDonald's acknowledged the vulnerability quickly, and by July 1, default credentials were disabled and the endpoint was secured, according to the report. also said that it will conduct further security audits, reported CSO Online. Later, a Paradox staff member wrote on its website, 'We are confident that, based on our records, this test account was not accessed by any third party other than the security researchers,' and emphasised that 'at no point was candidate information leaked online or made publicly available. Five candidates in total had information viewed because of this incident, and it was only viewed by the security researchers. This incident impacted one organization — no other Paradox clients were impacted,' as quoted by the CSO Online report. Could the Exposed Data Be Used for Attacks? While the chief information security officer at Cequence Security, Randolph Barr warned that, 'Even though there's no indication the data has been used maliciously yet, the scale and sensitivity of the exposure could fuel targeted phishing, smishing/vishing, and even social engineering campaigns,' and added that, 'Combined with AI tooling, attackers could craft incredibly personalized and convincing threats,' as quoted by CSO Online. FAQs What kind of data was exposed? Applicant chat logs, contact details, job application responses, shift preferences, personality test results, and impersonation tokens were accessible. How did the researchers access the system? They used a publicly visible login labeled 'Paradox team members' and guessed the default password '123456,' which gave them immediate access.
Yahoo
5 days ago
- Business
- Yahoo
AI chatbot's simple ‘123456' password risked exposing personal data of millions of McDonald's job applicants
Security researchers found that they could access the personal information of 64 million people who had applied for a job at McDonald's, in large part by logging into the company's AI job hiring chatbot with the username and password '123456.' Ian Carroll and Sam Curry wrote in a blog post that 'during a cursory security review of a few hours,' they found the password issue and another simple security vulnerability in an internal API, which allowed access to job applicants' past conversations with the chatbot, called McHire, supplied to McDonald's by The personal data seen by the researchers included applicants' names, email addresses, home addresses, and phone numbers. wrote in a blog post that it resolved the issues 'within a few hours' after the researchers' report, and that 'at no point was candidate information leaked online or made publicly available.' The researchers' findings were first reported by Wired. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
