Many companies now rely on AI to handle parts of the hiring process. Bots screen resumes, filter candidates, and manage preliminary communication before a human steps in. McDonald's utilizes an AI-powered hiring platform called McHire, which is powered by Paradox.ai's chatbot, Olivia, to streamline its recruitment process.
While AI brings convenience, it also comes with data privacy risks. This became clear when two security researchers responsibly disclosed a critical vulnerability that exposed a small number of candidate records, despite some early reports suggesting a much larger breach.
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM/NEWSLETTER
HOW AI CHATBOTS ARE HELPING HACKERS TARGET YOUR BANKING ACCOUNTS
On June 30, 2025, security researchers Ian Carroll and Sam Curry discovered a vulnerability in a Paradox.ai test account related to a single client instance, which serves McDonald's. Using weak, outdated credentials, they accessed a testing portal and discovered an unauthenticated API endpoint tied to chat interaction records.
They retrieved seven chat logs, five of which included U.S.-based candidate information such as:
The remaining two records did not include any personal data. Notably, no full job applications, Social Security numbers, or financial information were exposed, and sensitive fields remained protected.
Paradox.ai responded swiftly, disabling the test account immediately and patching the exposed endpoint within hours of notification. In a public statement, the company confirmed that only five candidate records containing personal information were accessed, and only by the two researchers who ethically disclosed the issue.
The company claims the incident impacted only one Paradox client, believed to be McDonald's, and no other Paradox.ai clients or systems were affected. There is no evidence of malicious access or that any data was ever leaked or made publicly available. The company went on to say that, "We are confident that, based on our records, this test account was not accessed by any third party other than the security researchers."
WHAT IS ARTIFICIAL INTELLIGENCE (AI)?
Paradox.ai admitted the test account, set up before 2019, should have been decommissioned, and that legacy credentials no longer met current password standards. In response to the incident, the company has:
In response, McDonald's issued a statement:
"We're disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us. We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection."
Early reports suggested that the vulnerability could have exposed up to 64 million job applications. However, researchers never confirmed this number and Paradox.ai's investigation did not find any indication that large-scale data scraping occurred. The only records accessed were the seven chat samples pulled by the researchers to verify the issue.
We reached out to Paradox.ai, and a rep told us: "Our public post should serve as Paradox's official statement. It provides context, as well as some clarification of inaccuracies published in other media." Consistent with their statement, Paradox.ai emphasized that only five candidate records containing personal information were accessed by the security researchers, and there is no evidence of a mass breach or any data being made public.
While the underlying vulnerability was real, only a very limited scope of data was actually accessed, thanks to the actions of the researchers and the vendor's rapid response.
While the researchers accessed personal information in five records, there is no evidence that attackers ever exploited this data. However, hypothetically, such data could be used for various scams, such as:
The nature of the exposed data makes it sensitive, even if the scope was limited.
GET FOX BUSINESS ON THE GO BY CLICKING HERE
The McHire breach shows how easily personal information can be exposed when AI tools collect job application data. These six steps can help you protect your information before, during, and after applying.
Only share the information needed to complete the application. Do not provide sensitive details like your Social Security Number, bank account information, or full home address unless you are certain the platform is legitimate and secure.
An alias email address is an additional email address that can be used to receive emails in the same mailbox as the primary email address. It acts as a forwarding address, directing emails to the primary email address. It also keeps your job search organized, helps you spot scams quickly, and reduces the damage if a company mishandles your data.
See my review of best secure and private email services at Cyberguy.com/Mail
Before you fill out any forms, check that the website URL begins with https:// and that the site looks secure and professional. Avoid platforms or bots that ask vague or repetitive questions or redirect you without a clear reason
Incidents like the McHire breach show how easily personal details can be exposed-even when you think you're just applying for a job. A data-removal service helps reduce your online footprint by scanning hundreds of data broker sites and requesting the removal of your information. This lowers the risk of your personal data being leaked, exploited in phishing scams, or used for impersonation.
While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com/Delete
Get a free scan to find out if your personal information is already out on the web: Cyberguy.com/FreeScan
If you create accounts on hiring platforms, avoid reusing passwords from other services. A weak or reused password can make it easier for attackers to compromise your data if a site is breached. Consider using a password manager to generate and store secure passwords.
Check out the best expert-reviewed password managers of 2025 at Cyberguy.com/Passwords
After applying for jobs, stay alert for emails or texts that seem "off." Scammers often use leaked data to impersonate recruiters or employers, especially after high-profile breaches. Watch for fake onboarding requests or messages asking for sensitive information like bank details or IDs. When in doubt, verify directly with the company.
This incident was a serious but limited security issue. Thanks to responsible disclosure by researchers and Paradox.ai's rapid response, the exposure was contained to just five candidate records, and no personal data was leaked or misused. That said, the event is a reminder: when AI is involved in hiring, data privacy must remain a top concern. Even small oversights, like a forgotten test account, can put real people's data at risk.
Do you think more transparency is needed from companies when your data is involved in the hiring process? Let us know by writing us at Cyberguy.com/Contact
Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM/NEWSLETTER
Copyright 2025 CyberGuy.com. All rights reserved.
