newYou can listen to Fox’s news articles!
Today, many companies rely on AI to handle some of the hiring processes. McDonald’s leverages AI-powered employment platform called Mchire, powered by Paradox.ai chatbot Olivia, to streamline the recruitment process, to filter candidates and manage preliminary communications through candidates before human intervention.
AI brings convenience, but also involves data privacy risks. This became apparent when two security researchers responsible for disclosing important vulnerabilities that make the records of a small number of candidates public despite several early reports suggesting much greater violations.
Sign up for my free CyberGuy Report
Get my best tech tips, emergency security alerts, and exclusive transactions directly to your inbox. Plus, you’ll get instant access to my ultimate scam survival guide – free to join my cyberguy.com/newsletter
How AI Chatbots help hackers target your bank account
McDonald’s Sign (Kurt “Cyberguy” Knutsson)
What did researchers find on McDonald’s AI employment platform?
On June 30, 2025, security researchers Ian Carroll and Sam Curry discovered a vulnerability in the Paradox.AI test account related to a single client instance serving McDonald’s. Using weak and outdated credentials, they accessed the test portal and discovered unauthenticated API endpoints tied to chat interaction records.
They got seven chat logs. Five of these included US-based candidate information, including:
Numbersip address of full name email address
The remaining two records did not contain any personal data. In particular, no full job applications, Social Security numbers or financial information was published, and sensitive areas remained protected.
McDonald’s Sign (Kurt “Cyberguy” Knutsson)
Paradox.ai checks the scope of security vulnerabilities
Paradox.ai responded quickly, quickly disabled the test account and patched exposed endpoints within hours of notification. In an official statement, the company confirmed that only five candidate records, including personal information, were accessed, and only by two researchers who ethically disclosed the matter.
The company claims that the incident only affected one paradox client believed to be McDonald’s, while other Paradox.AI clients and systems were not affected. There is no evidence of malicious access or that data has been leaked or published. The company continues, “Based on our records, we are confident that this test account was not accessed by third parties other than security researchers.”
What is Artificial Intelligence (AI)?
McDonald’s and the Paradox
Paradox.ai confirmed that test accounts set up before 2019 and should be deprecated, and that legacy credentials no longer meet current password standards. Depending on the incident, the company is as follows:
I revoked my legacy test account, deployed a patch that I qualify and closed a bug bounty program that closed vulnerable endpoints.
In response, McDonald issued a statement.
“We are disappointed with this unacceptable vulnerability from our third-party provider Paradox.ai. As soon as we learned about the issue, we mandated that we fix the issue immediately. It was resolved on the same day that was reported to us.
McDonald’s Sign (Kurt “Cyberguy” Knutsson)
Was that really a job opening of 64 million people?
Early reports suggest that the vulnerability could have exposed job applications of up to 64 million people. However, researchers did not confirm this number, and the Paradox.ai study did not show that a large-scale data reduction occurred. The only records visited were seven chat samples drawn by researchers to verify the problem.
We reached out to Paradox.ai and the person in charge said: “Our public posts should serve as an official statement of paradox. It provides context and provides some clarification of the inaccuracies published in other media.” In line with their statement, Paradox.ai highlighted that security researchers only accessed five candidate records containing personal information, and there is no evidence of data that has been infringed or published.
The underlying vulnerabilities were realistic, but thanks to researcher actions and the rapid response of vendors, only a very limited range of data was actually accessed.
Could this data be used maliciously?
Researchers accessed personal information on five records, but there is no evidence that the attacker misused this data. However, hypothetical, such data can be used for a variety of frauds, such as:
Recruiters are pretending to collect more personal information, faking phishing emails, pretending to acquire job seekers with fake job seekers
The nature of exposed data makes it sensitive even when the scope is limited.
Click here to get your Fox business on the go
Six Steps to Protect Your Personal Data When Using an Online Employment Platform
The MCHIRE violation shows whether AI tools can easily disclose personal information when they collect job application data. These six steps will help you protect your information before, during and after the application.
1. Limit the personal data you share
We only share the information needed to complete the application. Unless you are confident that the platform is legal and secure, do not provide sensitive details such as your Social Security number, bank account information, or a full home address.
2. Get an alias email for your job
The alias email address is an additional email address that you can use to receive emails in the same mailbox as your primary email address. It acts as a forwarding address and sends emails to your primary email address. It also helps you organize your job hunt, quickly find scams, and reduces damage if companies handle your data incorrectly.
Check out my review of the best safe and private email service at cyberguy.com/mail
3. Check the HTTPS and the red flag
Before filling out the form, make sure the website URL starts with https:// and makes your site look safe and professional. Avoid platforms and bots that ask vague or repetitive questions or redirect them for no clear reason
4. Consider a data deletion service
Cases like Mchire violations show that when you think you are just applying for a job, you can easily publish your personal details. Data Removal Services help reduce your online footprint by scanning hundreds of data broker sites and requesting information to be deleted. This reduces the risk that personal data will be leaked and misused in phishing scams or used for impersonation.
Although there is no service that promises to delete all data from the internet, deleting a deletion service is great if you want to constantly monitor and automate the process of continuously deleting information from hundreds of sites over a long period of time.
Check out our top picks for data deletion services, get a free scan, go to cyberguy.com/delete to see if your personal information is already visible on the web
Get a free scan and see if your personal information is already registered on the web: cyberguy.com/freescan
5. Use a strong and unique password for your job search account
If you create an account on the recruitment platform, avoid reusing your password from other services. A weak or reused password makes attackers more likely to compromise their data if the site is compromised. Consider using a password manager to generate and store secure passwords.
Check out the best expert reviewed password managers of 2025 at cyberguy.com/passwords
6. Monitor for signs of identity misuse or fraudulent messages
After applying for a job, pay attention to emails and texts that you think are “off.” Scammers use leaked data to impersonate recruiters and employers after particularly high-profile violations. Beware of fake onboarding requests or messages asking for sensitive information such as bank details and ID. If you are in doubt, please check directly with the company.
Click here to get the Fox News app
Important points of cart
The incident was a serious but limited security issue. Thanks to the responsible disclosure by researchers and the rapid response of Paradox.AI, the exposure was only included in five candidate records, and personal data was not leaked or misused. That said, this event is a reminder. Data privacy should be the biggest concern when AI is involved in employment. Even small oversights like forgotten test accounts can put real people’s data at risk.
Do you think there is more transparency from the company when data is involved in the hiring process? Please let us know at cyberguy.com/contact
Sign up for my free CyberGuy Report
Get my best tech tips, emergency security alerts, and exclusive transactions directly to your inbox. Plus, you’ll get instant access to my ultimate scam survival guide – free to join my cyberguy.com/newsletter
Copyright 2025 cyberguy.com. Unauthorized reproduction is prohibited.
