Facepalm: Almost anyone who applied to work at McDonald's earlier this year may have exposed their name, phone number, email address, physical address, and other personal information. Security researchers effortlessly broke into the administrative system overseeing applicants' interactions with the generative AI chatbot that conducts most job interviews.

Security researcher Ian Carroll successfully logged into an administrative account for Paradox.ai, the company that built McDonald's AI job interviewer, using "123456" as both a username and password. Examining the internal site's code quickly granted access to raw text from every chat it ever conducted.

Job applications at 90 percent of McDonald's franchises conduct interviews with Paradox's AI chatbot, named Olivia. The AI collects names, locations, email addresses, phone numbers, shift availability, and other personal information before conducting rudimentary personality tests. Human overseers view and access this information using Paradox administrative accounts.

Although McDonald's hiring website attempts to push users toward a single sign-on, Carroll noticed a link in small text that led to a separate Paradox employee login page. Shockingly, it accepted the default username and password, immediately revealing the system's inner workings.

After discovering an API in the site's code, Carroll decremented the main parameter of an XHR request for a test chat, which granted access to Olivia's chat history for 64 million applicants. In addition to personal data, the leak also reveals authentication tokens and changes to employment status.

Moreover, when Carroll attempted to alert Paradox to the breach, he was unable to find a security disclosure contact. The company's security page mostly consists of a simple assurance that users shouldn't need to worry about security. Eventually, after the researchers emailed "random people," Paradox and McDonald's confirmed that they resolved the issue in early July.

Carroll also noticed Olivia's relatively limited range of responses, which have drawn ridicule online. One Redditor shared screenshots from a conversation where Olivia directed them toward the chain's hiring website, which sent them back to the chatbot. When the applicant complained, the AI responded nonsensically.

Hiring is far from the only area where McDonald's has integrated AI into its operations. In March, the company announced plans to utilize the technology for administration, sensing equipment, checking orders, and other tasks. Last year, McDonald's ended tests for an AI drive-thru system developed by IBM.

Despite the obvious dangers of using "123456" as a password, it still regularly appears in lists of the most common credentials.