McHire’s 64M AI Job Hunters Breached by ‘123456’ Password, Chatbots Leak Secrets
McHire’s AI hiring system, trusted by 64 million hopefuls, was undone by the admin password ‘123456,’ exposing applicant chat transcripts and personal data. Trending questions like “Can AI recruitment platforms be hacked?” and “What happens if my job application is leaked?” meet reality as researchers Ian Carroll and Sam Curry gained live dashboard access. “Without much thought, we entered ‘123456’ as the password and were surprised to see we were immediately logged in!” Carroll revealed, highlighting the absurd ease of the breach.
After Carroll’s surreal ‘123456’ login, investigators uncovered an internal API flaw that let them browse applicant PII by simply decrementing an ID number—a process easier than ordering fries. Users searching “What data did the McDonald’s breach expose?” or “Are AI hiring bots safe?” will marvel at the discovery: chat transcripts, shift preferences, and even impersonation tokens, all accessible thanks to an admin oversight. “This incident is a prime example of what happens when organizations deploy technology without an understanding of how it works,” observed security CEO Evan Dornbush.
By July 1, McDonald’s and Paradox.ai patched the breach, but not before researchers accessed five real applicant records—proving that, in 2025, a $200 billion firm’s digital gatekeeper was a password straight from a sixth-grade math quiz.
