McDonald’s AI Recruiter Breach Raises Alarms Over Basic Security Flaws

McDonald’s is facing strong backlash after a shocking security lapse exposed sensitive data of nearly 64 million job applicants. The leak occurred because of a default admin password: “123456”.

Security researchers Ian Carroll and Sam Curry discovered the breach in late June 2025. They were reviewing McHire, McDonald’s AI-powered hiring platform. McHire uses a chatbot called Olivia to screen candidates and gather details like names, emails, phone numbers, shift choices, and even personality test results.

The researchers noticed that the admin login page had an option labelled “Paradox team members,” which refers to Olivia’s maker, Paradox.ai. When they typed “123456” as both username and password, they gained immediate access. This was not just to a test environment, but to live dashboard showing real applicant data.

Once inside, they found a flaw called an insecure direct object reference (IDOR) in the platform’s internal API. This bug lets them change ID numbers to access sensitive data. They could view full applicant profiles, chat logs, and even tokens used for impersonating candidates. The amount and sensitivity of this data caused serious concerns about possible phishing, impersonation, and social engineering attacks.

McDonald’s and Paradox.ai acted fast after the problem was revealed on June 30. By July 1, they disabled the default login details and fixed the weak endpoint. Paradox.ai also said they would do more security checks and clarified that only five candidate records were viewed, and only by the researchers. No data was leaked publicly.

Experts say this incident highlights a growing problem. Companies rush to use AI tools without taking enough cybersecurity measures. “Even sophisticated AI systems can be compromised by elementary oversights,” said Aditi Gupta of Black Duck Consulting. The breach also shows the risks of using third-party platforms, especially in franchise models where security standards can vary widely.

With AI now playing a big role in hiring, this case serves as a wake-up call for organisations to treat recruitment platforms with the same level of security as core business systems.

📰 Mini Headlines

SK Telecom Fined After Major 25M-User Data Breach

The massive telecom company SK Telecom in South Korea was fined $22,000 after malware took advantage of flaws during a three-year period and leaked data of 25 million users. The breach led to a nationwide SIM card replacement program and the exposure of IMSI numbers.  Authorities said the company failed to detect the issue due to weak internal monitoring and cybersecurity practices.

Data Breach

Read More → https://mobileidworld.com/sk-telecom-hit-with-22k-fine-after-massive-25m-user-data-breach-in-south-korea/

💬TikTok Under New EU Investigation Over China Data Transfers

TikTok is facing another privacy probe from the EU after admitting that some European user data was stored on servers in China, which is contrary to their earlier claims. Ireland’s Data Protection Commission is investigating whether TikTok violated GDPR rules, following a previous €530 million fine for similar issues.

Data Transfer

Read More → https://www.securityweek.com/tiktok-faces-fresh-european-privacy-investigation-over-china-data-transfers/

🔐 Bitcoin Depot Data Breach Hits 27,000 Crypto Users

Bitcoin Depot confirmed a data breach that exposed personal details of roughly 27,000 users, including names, emails, and uploaded IDs. The incident happened in June 2024 but was only disclosed recently following a federal investigation. No funds were stolen, but experts warn that the leaked data could be used for identity fraud or phishing attacks targeting crypto holders.

Data Breach

Read More → https://gbhackers.com/bitcoin-depot-breach-exposes-data/

🩺 Medicare Breach Exposes 100,000 Americans’ Private Data

The Centres for Medicare & Medicaid Services (CMS) revealed that hackers used stolen personal data to set up fake Medicare.gov accounts, accessing sensitive details of over 100,000 Americans. The breach affected names, birth dates, addresses, and insurance info. CMS says the compromised accounts have been deactivated, and new Medicare cards will be issued.

Private Data

Read More → https://www.foxnews.com/tech/medicare-data-breach-exposes-100000-americans-info

🏆 Arfi Siddik Mollashaik Wins Noble Award for Data Privacy in Enterprises

Arfi Siddik Mollashaik has received the Noble Awards Gold Winner for 2025. This honour recognises his important work in protecting enterprise data privacy and cybersecurity. As a Solution Architect at Securiti, he created AI-based tools that help companies find, classify, and secure sensitive information. His work includes features like automatic data masking and privacy-by-design models. These efforts have made it easier for organisations to follow privacy laws like GDPR and CCPA.

Noble Award

Read More → https://finance.yahoo.com/news/noble-awards-gold-winner-2025-102500513.html