Experts urge firms to focus on security basics as AI adoption accelerates
McDonald’s has come under scrutiny after a critical security lapse exposed personal data belonging to around 64 million job applicants, stemming from a glaring vulnerability in its AI-powered hiring platform, McHire.
Earlier this month, security researchers Ian Carroll and Sam Curry revealed how default credentials—“123456” used for both username and password—granted access to McHire’s administration interface. The platform, developed by Paradox.ai, uses an AI chatbot named Olivia to automate the job application process.
According to Carroll and Curry, the use of these default credentials, combined with an insecure direct object reference (IDOR) vulnerability on an internal API, enabled anyone with a McHire account and inbox access to retrieve sensitive applicant information. Leaked data included names, email addresses, home addresses, phone numbers, application status, work availability, and authentication tokens that allowed login as the applicant—granting access to chat histories and potentially more.
The researchers disclosed the issue to McDonald’s and Paradox.ai on 30 June. Within two hours, McDonald’s removed the default credentials, and Paradox.ai confirmed all vulnerabilities were resolved by 1 July.
While there is no evidence yet to suggest the data was accessed with malicious intent, the scale and simplicity of the breach have raised alarm bells.
Failure Of Basic Cyber Hygiene
Experts say the breach reflects longstanding issues around poor security practices rather than AI-specific concerns. “This wasn’t a sophisticated hack — it was a failure of basic security hygiene,” said Darren Guccione, CEO of Keeper Security. “Neglecting to change default credentials, enforce multifactor authentication, and apply proper access controls invites trouble.”
Stephen Frethem, field CTO at Varonis, agreed: “These days attackers aren’t breaking in, they’re logging in. Secure identities with strong passwords, apply MFA, and regularly assess data exposure, especially around AI tools.”
Securing AI from the Ground Up
The incident also underscores the need for stricter security measures as AI and automation increasingly permeate the retail and food services sector.
“A new wave of automation is transforming everything from CV screening to supply chain logistics,” said Willy Leichter, chief marketing officer at PointGuard AI. “But when these systems handle sensitive personal data, security must be baked in from the outset.”
Aditi Gupta, senior manager at Black Duck, echoed the sentiment: “AI is touching every part of business operations. That makes it crucial to implement vendor management, compliance checks, AI-specific testing, and response protocols.”
Guccione called for foundational measures: credential management, least-privilege access, and continuous monitoring. “Neglecting these basics can erode public trust in both the organisation and its AI tools,” he said.
Getting Fundamentals Right
Randolph Barr, chief information security officer at Cequence Security, was blunt in his assessment. “This wasn’t about a complex AI vulnerability. It was about default passwords and broken access control—issues OWASP flagged over a decade ago,” he said.
Barr praised organisations for beginning to explore model protections and anomaly detection but warned such measures are futile without firm foundational security. “Security must be part of the development lifecycle from day one—not a bolt-on after launch,” he said.
As the McDonald’s case shows, AI systems bring new opportunities—but also new risks. And for now, experts suggest, getting the basics right remains the most important defence.