Rapid patching saved the day: Following disclosure on June 30, 2025, Paradox.ai and McDonald’s acknowledged the vulnerability within the hour. By July 1, default credentials were disabled and the endpoint was secured. Paradox.ai also pledged to conduct further security audits, Carroll noted in the blog.”Even though there’s no indication the data has been used maliciously yet, the scale and sensitivity of the exposure (~64 million applicants) could fuel targeted phishing, smishing/vishing, and even social engineering campaigns,” said Randolf Barr, chief information security officer at Cequence Security. “Combined with AI tooling, attackers could craft incredibly personalized and convincing threats.”McDonald’s and Paradox.ai did not immediately respond to queries sent by CSO.Cybersecurity lapses are becoming increasingly common in recruitment environments, likely due to a focus on speed, automation, and scale at the expense of security. Earlier this week, online applicant tracking platform TalentHook was found >leaking almost 26 million PII files through a misconfigured Azure Blob storage container.Emphasizing the need to bring hiring workflows into mainstream cybersecurity, Kobi Nissan, Co-founder and CEO at MineOS, said, “Any AI system that collects or processes personal data must be subject to the same privacy, security, and access controls as core business systems. That means authentication, auditability, and integration into broader risk workflows, not siloed deployments that fly under the radar.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4020919/mcdonalds-ai-hiring-tools-password-123456-exposes-data-of-64m-applicants.html
