What Happened in the Third-Party Breach of Paradox and McDonald’s?
Global fast food giant McDonald’s uses a third-party chatbot called Olivia to interview job applicants on its website. The chatbot, provided by an outside company called Paradox, has conducted interviews for 90 percent of McDonald’s franchises. The AI bot collects information from the applicant, including names, locations, email addresses, phone numbers, shift availability, and other information, before requiring the applicant to take an online personality test. A vulnerability was discovered within the chatbot in June of 2025 that has potentially exposed much of the collected information, as well as the raw text from every chat conducted with all 64 million applicants from across the world.
Identify Indicators of Compromise (IoCs)
The chatbot’s vulnerabilities were discovered by a security analyst team that was probing the company’s hiring website. As part of their investigation, the team followed the same steps a typical job applicant would take when navigating the site. During this process, they discovered a separate login page intended for restaurant owners to access applicant information. Here they found a separate link called “Paradox team members,” where they were able to successfully log in to an administrative account using “123456” as both the username and password. The account allowed the team to view the internal code as well as an API that gave them access to applicant data and chat content history. In addition to these security lapses, the team identified a business logic flaw in the application process that was likely causing frustration for some users. When they attempted to report their findings, the researchers discovered that Paradox lacked a clear and established channel for responsible vulnerability disclosure.
Actions Taken
Paradox did respond after repeated attempts at reaching out to them, confirming that they patched the flaw in early July. However, they failed to provide any details, such as how long the system was open to attack or give information on their response to impacted applicants. Paradox also launched a bug bounty program and updated its password policies and API security. McDonald’s expressed disappointment in its third-party provider and emphasized stricter oversight going forward.
Prevention
Rather than relying on the efforts of independent security professionals, periodic third-party penetration tests, risk assessments, and code reviews are a proactive way to uncover misconfigurations, exposed endpoints, weak authentication, and business logic flaws before attackers do. Recurring penetration testing is the process of regularly evaluating networks and services for potential weak points. While point-in-time pen testing is useful to identify and remediate specific threats, companies are also utilizing continuous automated penetration and attack testing programs from security specialists such as HALOCK to discover vulnerabilities as the environment evolves. As more companies integrate AI services into their environments, the need for recurring testing will become even more critical.
The reported findings concerning the McDonald’s hiring site also shed light on the usual culprit of issues:
- Never deploy systems using default usernames and passwords such as “123456”. Instead, create new administrative accounts and use a strong, unique password.
- Enable multifactor authentication (MFA) for all administrative accounts to reduce the risk of unauthorized access should the credentials be compromised
- Isolate sensitive admin interfaces from public networks and restrict admin access to portals by either VPN or by IP address whitelisting.
- Employ real-time monitoring and anomaly detection to quickly identify and respond to suspicious activity.
Companies should also maintain a clear, documented mechanism for responsible disclosure of security vulnerabilities by external researchers.
Helpful solutions
Review your security program for your teams to minimize your risk.
Cybersecurity News, Updates, Resources
Cybersecurity Awareness Posters
