Food giant hacked due to password simplicity! List of 64 million people leaked

The world-famous fast food chain McDonald's is in the news for one of its biggest digital security scandals to date. It was revealed that McDonald's management panels through its recruiting system, McHire , could only be accessed with a simple password like "123456." The vulnerability exposed the personal data of more than 64 million applicants worldwide.

SERIOUS VULNERABILITY IN THE MCHIRE SYSTEM

McHire, used by 90% of McDonald's franchisees, is a system developed by Paradox.ai that collects applications through an AI-powered assistant named Olivia. The platform records users' contact information, shift preferences, and personality test responses.

Researchers reported that they were able to access the system's admin panel after just a few attempts. They discovered that entering a common combination like "123456" in the username and password fields directly accessed the panel via the "Paradox team members" link.

THE PASSWORD WAS NOT THE ONLY PROBLEM: THERE WAS NO IDENTITY VERIFICATION

The real security vulnerability, however, was hidden in an API running on the "lead_id" system's backend. This API, used by developers in their internal testing, exposed user data without any authentication mechanism. This vulnerability allowed users who had applied to McDonald's in the past to:

Name, surname, telephone number, e-mail, address

Application process information and personality test answers

User-specific verification tokens

Chat history and all in-system messaging

Data such as were accessible.

A GIANT LEAK OF 64 MILLION PEOPLE

According to researchers, this vulnerability affected more than 64 million McDonald's applications worldwide. The leaked data was reportedly large enough to allow users to access the system on their behalf.

PARADOX.AI: OPEN CLOSED, INVESTIGATION STARTED

Researchers who noticed the situation attempted to contact Paradox.ai. However, the company's official security page didn't have any open reporting channels. The team contacted random email addresses to report the incident. When they finally reached the right people, Paradox.ai officials took action, announcing that the vulnerability had been patched and that they were launching a comprehensive review of the system.