Rapid patching saved the day: Following disclosure on June 30, 2025, Paradox.ai and McDonald’s acknowledged the vulnerability within the hour. By July 1, default credentials were disabled and the endpoint was secured. Paradox.ai also pledged to conduct further security audits, Carroll noted in the blog.”Even though there’s no indication the data has been used maliciously yet, the scale and sensitivity of the exposure could fuel targeted phishing, smishing/vishing, and even social engineering campaigns,” said Randolph Barr, chief information security officer at Cequence Security. “Combined with AI tooling, attackers could craft incredibly personalized and convincing threats.”McDonald’s did not immediately respond to queries sent by CSO.Paradox later posted its version of events to its website, saying that the security researchers were able to log into a Paradox test account related to a single Paradox client instance using a legacy password. “We are confident that, based on our records, this test account was not accessed by any third party other than the security researchers,” Paradox staff wrote, emphasizing, “at no point was candidate information leaked online or made publicly available. Five candidates in total had information viewed because of this incident, and it was only viewed by the security researchers. This incident impacted one organization, no other Paradox clients were impacted.”Cybersecurity lapses are becoming increasingly common in recruitment environments, likely due to a focus on speed, automation, and scale at the expense of security. Earlier this week, online applicant tracking platform TalentHook was found >leaking almost 26 million PII files through a misconfigured Azure Blob storage container.Emphasizing the need to bring hiring workflows into mainstream cybersecurity, Kobi Nissan, Co-founder and CEO at MineOS, said, “Any AI system that collects or processes personal data must be subject to the same privacy, security, and access controls as core business systems. That means authentication, auditability, and integration into broader risk workflows, not siloed deployments that fly under the radar.”More on passwords:
Why ‘123456’ is a great passwordThe password hall of shame (and 10 tips for better password security)12 famous passwords used through the ages>
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4020919/mcdonalds-ai-hiring-tools-password-123456-exposes-data-of-64m-applicants.html
