An AI hiring bot used by McDonald's to sort applicants at their thousands of restaurants was hacked rather easily, exposing the data of millions of people who applied to work at the restaurant.
I think I know who would be most interested in exploiting this weakness!
All they had to do is try the password "123456" and they were in.
These are the robots who are telling us our clever passwords are weak?
On Wednesday, security researchers Ian Carroll and Sam Curry revealed that they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald's website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with a long track record of independent security testing, discovered that simple web-based vulnerabilities — including guessing one laughably weak password — allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.
At least it was good-guy hackers who apparently have no motive other than to expose security issues. It would appear that the info submitted by McDonald's applicants are safe.
But the fact that it was so easy to hack ought to make anyone applying for jobs online very skeptical.
When WIRED reached out to McDonald's and Paradox.ai for comment, a spokesperson for Paradox.ai shared a blog post the company planned to publish that confirmed Carroll and Curry's findings. The company noted that only a fraction of the records Carroll and Curry accessed contained personal information, and said it had verified that the administrator account with the "123456" password that exposed the information "was not accessed by any third party" other than the researchers. The company also added that it's instituting a bug bounty program to better catch security vulnerabilities in the future. "We do not take this matter lightly, even though it was resolved swiftly and effectively," Paradox.ai's chief legal officer, Stephanie King, told WIRED in an interview. "We own this."
McDonald's also blamed Paradox.ai and demanded they fix the issue.
I had no idea it was so easy to hack it in the hacking business.
P.S. Now check out our latest video 👇
