- McDonald’s recently introduced a new hiring platform called McHire
- It uses an AI-powered chatbot that collects resumes, CVs, and contact data
- Researchers managed to easily log into the backend and obtain all of the data stored by the AI
A third-party supply chain vulnerability exposed sensitive data on 64 million people who applied to work with McDonald’s, experts have claimed.
The company recently introduced a new AI-powered hiring platform, courtesy of partners Paradox.ai. Called McHire, it featured Olivia, an AI-powered chatbot that screens applicants, gathers their contact information, CVs and resumes, and makes them do a personality test.
The dedicated website, McHire.com, had a login link, which two security researchers – Ian Carroll and Sam Curry – used to log into the backend. They tried guessing the password, and after a first failed attempt (going with “admin” for both username and password fields), they succeeded on the second one – using “123456” in both fields.
Plugging the hole
Although it might come as a shock to some, Carroll told Wired easy-to-guess passwords such as this one are “more common than you’d think.”
Indeed, over the years, there were countless reports from security experts, warning about the use of passwords such as “password”, “iloveyou”, “123456”, “qwerty”, and similar.
Reaching the backend, they accessed all the data harvested by the platform, including personally identifiable information shared in CVs and resumes: names, email addresses, and phone numbers. In total, 64 million records were exposed.
While stealing names, emails, and phone numbers might not sound like much, cybercriminals can use it to create highly convincing phishing attacks, especially knowing that the victims applied for a job at McDonald’s at some point.
This can lead to more destructive malware and ransomware attacks, identity theftand even wire fraud.
As soon as the discovery was made, Paradox was notified and quickly plugged the hole. The company told Wired that “only a fraction of the records” the researchers accessed contained personal information, and that the hole was not previously spotted by anyone else.