McDonald’s AI chatbot hacked leaving Aussie job applicants exposed: 'Full access'

Updated Thu, 10 July 2025, 5:24 pm 3 min read

Australians who applied for jobs at McDonald’s have had their personal information exposed after the company’s AI chatbot was hacked by a simple password. McDonald’s uses an AI chatbot, Olivia, to screen job applicants worldwide, including in Australia.

The Sydney Morning Herald reported that thousands of prospective McDonald's employees in Australia had their personal information compromised by the security breach.

The bot, created by US-based software firm Paradox.ai, screens candidates and asks for information including their resumes, contact information and directs them to a personality test. Last week, security researchers found the platform suffered from basic security flaws.

Security researchers Ian Carroll and Sam Curry revealed they were able to hack into the backend of the AI chatbot platform and access some 64 million records by guessing the administrator’s username and password was ‘123456’.

RELATED

• Major Qantas update after 6 million customer details stolen in cyber attack: 'Suspicious'

• Centrelink alert for 240,000 Aussie families as some see popular payment stopped

• Major banks reveal updated RBA interest rate cut predictions after ‘surprise’ hold

The research was first reported by Wired, with Carroll telling the US tech publication he only discovered the lack of security because he was intrigued by McDonald’s decision to use an AI chatbot to screen potential workers.

“I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more,” Carroll said.

“So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years.”

McDonald’s Australia hires more than 11,000 workers each year and is one of the biggest employers in Australia. McDonald’s said it has hired around 1.3 million Australians nationwide, which is more than 5 per cent of the population.

Paradox.ai confirmed the breach in a blog post on its website and said the security researchers had reached out about the vulnerability on its system.

“We promptly investigated the issue and resolved it within a few hours of being notified,” it said.

The platform said the information “was not accessed by any third party” other than the researchers, and “at no point was any data leaked online or made public”.

It said the personal information of five US-based applicants had been accessed and viewed by the researchers. Names, email addresses, phone numbers and IP addresses from applicants were accessed.