McDonald's McHire bot exposed personal information of 64M people by using '123456' as a password in 2025

A picture of a child dressed as Ronald McDonald looking sad
(Image credit: Shutterstock)

A pair of security researchers has revealed vulnerabilities in the McHire chatbot Paradox, developed for McDonald's, that could have been exploited to reveal personal information about roughly 64 million people who have used the service to apply for jobs at their local franchises. (Hat-tip Wired.)

I was "hacked" the first time when I was 14. I put that in scare quotes because the password for the account was "1234." (Without the quotes or period, of course, which makes it even worse.) After I regained access to the account, I started using a password manager.

  • Name, email address, phone number, address
  • Candidacy state and every state change/form input the candidate had submitted (shifts they could work, etc)
  • Auth token to log into the consumer UI as that user, leaking their raw chat messages and presumably other information

Carroll and Curry noted that Paradox had previously bragged that 90% of McDonald's franchises were using McHire as part of their hiring practices. (That link still leads to the appropriate post on Paradox's blog, but the section related to McDonald's has been removed, and neither the Wayback Machine nor Google's cache has saved old versions of the post. Weird!)

So let's compare and contrast. I secured a forum account with the password "1234" when I was a teenager; that account's compromise was ultimately meaningless. Paradox raised $200 million in 2020, McDonald's has a $213 billion market cap, and McHire's flaws exposed information about tens of millions of people. But at least their password was two characters longer!

Perhaps the only bright side is that Carroll and Curry said the McHire vulnerabilities were addressed a day after their disclosure. Hopefully the companies involved will hold themselves to a McHigher standard now.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • psyconz
    Appreciate the humour shown in this piece. A silver lining to the amazingly awful self-pwns (with consequences for others, and even sometimes the companies themselves, too) that incredibly wealthy corporations seem to achieve on a regular basis.
    Reply
  • vern72
    Clown! :p
    Reply
  • punkncat
    vern72 said:
    Clown! :p

    Well done.
    Reply
  • Thunder64
    You shouldn't have to create an account to apply to a job.
    Reply
  • USAFRet
    Thunder64 said:
    You shouldn't have to create an account to apply to a job.
    An "account"? Maybe not.
    But they WILL need some details about how to contact you.
    Which results in the same thing.
    Reply
  • derekullo
    That's amazing. I've got the same combination on my luggage!
    Reply