These days, a lot of companies are turning to AI for various parts of their hiring processes. For example, McDonald’s is using an AI employment platform named Mchire, which relies on a chatbot from Paradox.ai called Olivia. This setup helps them streamline recruitment, filter candidates, and manage early communications—before any human involvement kicks in.
While AI can make things easier, it also raises concerns about data privacy. This was highlighted by two security researchers who found significant vulnerabilities. Initially, it seemed like many candidate records were compromised, but it turned out that only a small number were affected.
What did researchers find on McDonald’s AI employment platform?
On June 30, 2025, Ian Carroll and Sam Curry, the researchers in question, discovered a vulnerability in a Paradox.AI test account tied to McDonald’s. By using outdated login credentials, they accessed a test portal and identified unauthenticated API endpoints linked to chat interaction logs.
Out of their findings, they collected seven chat logs. Interestingly, five of these contained information about U.S.-based candidates, including:
- Full names
- Email addresses
- Phone numbers
- IP addresses
The last two did not feature any personal data. Crucially, there were no full job applications, Social Security numbers, or financial details exposed, with sensitive areas being protected.
Paradox.ai checks the scope of security vulnerabilities
Paradox.ai acted quickly by disabling the test account and patching the exposed vulnerabilities shortly after being notified. In their official communication, they confirmed that only the five records—including personal data—were accessed and only by the two researchers who responsibly disclosed their findings.
The company stated that this incident impacted just one client, believed to be McDonald’s, and reassured that other clients and systems of Paradox.AI remained unaffected. There’s no evidence that any data was leaked or accessed maliciously. They expressed confidence that only the researchers had accessed the test account.
McDonald’s and the Paradox
In their response, Paradox.ai acknowledged that some test accounts from before 2019 should be phased out, as their security measures were outdated. They have taken several actions:
- Revoked legacy account credentials
- Deployed patches to fix the vulnerabilities
- Initiated a Bug Bounty Program
- Provided public contact information for security issues at security@paradox.ai
McDonald’s also released a statement expressing disappointment over the vulnerability linked to their third-party provider, Paradox.ai. They noted that they mandated immediate fixes, which were carried out on the same day the issue was reported.
Was that really a job opening for 64 million people?
Initially, there were speculations that the vulnerability could have affected job applications for up to 64 million people. However, this figure wasn’t substantiated by the researchers, who confirmed that they only observed a handful of chat samples to verify the problem.
In communication with Paradox.ai, a spokesperson indicated that their disclosure serves as a clarification amid the inaccuracies reported by other media. They stuck to their point that the only accessed records contained personal information related to five candidates, with no indication of a widespread data breach.
Could this data be used maliciously?
Although no misuse of the data has been confirmed, the potential for malicious activities does exist. For instance, the exposed data could facilitate:
- Impersonating a recruiter for further personal information
- Sending phishing emails masked as onboarding messages
- Targeting job seekers with false job offers
The sensitive nature of this personal information makes even limited exposure a serious concern.
Six Steps to Protect Your Personal Data When Using an Online Employment Platform
The MCHIRE incident underscores how AI tools can inadvertently compromise personal information during job applications. Here are six steps to safeguard your data:
1. Limit the personal data you share
Share only what’s necessary for the application. Avoid disclosing sensitive information, like your Social Security number or bank details, unless you fully trust the platform’s security.
2. Get an alias email for your job applications
Utilize an alias email address to manage communications. This acts as a forwarding address that can help keep your primary email organized and safe.
3. Check the HTTPS and look for red flags
Ensure the website uses a secure URL that starts with “https://” before entering your information. Be cautious of platforms asking vague questions or redirecting without clarity.
4. Consider a data deletion service
Given incidents like the Mchire violation, using data removal services can help reduce your online footprint. They can monitor and request deletions from data broker sites, thus minimizing the risk of personal data misuse.
5. Use a strong and unique password for your accounts
Avoid reusing passwords across platforms. Weak passwords make it easier for attackers to gain access. Consider using a password manager.
6. Monitor for signs of identity misuse
After applying for jobs, stay vigilant for suspicious emails or texts. Be wary of messages asking for sensitive information. Directly verify any doubts with the company.
Important points of concern
While the incident represented a notable security issue, it was contained. Thanks to the prompt and responsible actions of the researchers and Paradox.AI, only a limited amount of data was accessed, and there’s no evidence of leaks or misuse. Nonetheless, this serves as a reminder highlighting the importance of data privacy in AI-driven hiring processes. Small oversights can endanger real people’s information.
Do you believe companies should be more transparent regarding data used in the hiring process? Share your thoughts.
