Super-Size Security Fail: McDonald's AI Hiring Bot Exposes 64M Records

The rise of AI has resulted in the technology permiating our daily life, with many companies using it their hiring process. That includes McDonald’s, which deploys a chatbot named Olivia made by Paradox.ai on its McHire.com site. Unfortunately, security researchers discovered security vulnerabilities on the site that could expose applicants' personal information.

Security researchers Carroll and Sam Curry started by trying to probe the chatbot with prompt injection attacks, which can sometimes hijack LLMs. Paradox.ai has seemingly done a good job in securing its platform on this front, as the researchers came up empty.

Undeterred, the researchers took another approach. They noticed a login link on the McHire site meant for Paradox.ai staff, which they quickly penetrated. Shockingly, the most basic username and password possible, “123456,” got them access. Even worse, the developers didn’t bother to protect this administrator account with two factor authentication ...