McDonald’s Job Chatbot Breach: A.I. Hiring Tool Left Applicant Data Dangerously Exposed
A recent WIRED investigation revealed a stunning lapse in cybersecurity involving “Olivia,” an artificial intelligence chatbot used to screen job applicants for McDonald’s. Created by the firm Paradox.ai, Olivia was found to have critical vulnerabilities that could have exposed the personal information of potentially millions of job seekers—all thanks to a test account secured by the username and password “123456.”
Fast Food, Faster Hack
Security researchers Ian Carroll and Sam Curry were able to access the backend of the McHire.com platform—used by some McDonald’s franchises—within just 30 minutes. Their goal was to test Olivia for common A.I. vulnerabilities such as prompt injection. While that specific exploit failed, they stumbled upon a far more basic—but still devastating—security flaw: weak login credentials and no multi-factor authentication on an internal Paradox.ai account.
Once logged in, the duo discovered that admin-level access granted them visibility into job applications, including names, emails, phone numbers, and even entire chat logs from as far back as 2019. According to WIRED, the database could contain as many as 64 million records.
“I started applying for a job,” said Carroll, “and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years.”
Easy as 1-2-3… 456
Aside from the credentials issue, Carroll and Curry found that user records were indexed sequentially—a practice reminiscent of other infamous data leaks, such as Panera Bread’s 2017 breach. By manipulating record numbers, the researchers could view data from other applicants, amplifying the risk of phishing or impersonation scams.
“The phishing risk would have actually been massive,” said Curry. “If you wanted to do some sort of payroll scam, this is a good approach.”
Corporate Response
Paradox.ai admitted the fault and said the vulnerable account “had not been logged into since 2019 and frankly, should have been decommissioned.” The firm pledged to implement a bug bounty program and called the matter “swiftly and effectively” resolved.
“We do not take this matter lightly… We own this,” said the company’s chief legal officer to WIRED.
McDonald’s issued its own statement expressing disappointment:
“We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai… We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable.”
Lessons Beyond the Drive-Thru
While no evidence suggests malicious exploitation occurred, the incident highlights persistent issues in data handling and security hygiene. Using default credentials, skipping multi-factor authentication, and failing to decommission outdated systems all contributed to a vulnerability that—though quickly addressed—could have had massive consequences.
Belkin Pulls Plug on Most Wemo Smart Devices, Raising Red Flags for Smart Home Buyers
The age-old tech question gets new relevance this week: Is it smart to buy smart devices? A report from 9to5Mac confirms that longtime electronics brand Belkin is ending support for most of its Wemo smart home products by January 31, 2026—a move that leaves consumers questioning the reliability of even the most established tech brands.
Wemo Wave Goodbye
Wemo, Belkin’s smart home line launched in 2011, includes smart plugs, motion sensors, light switches, cameras, and more. After January 2026, the Wemo app will be discontinued, and cloud-based features like remote access and voice control will no longer function. Additionally, Belkin will stop offering technical support, firmware updates, and troubleshooting for these products.
Only four Wemo devices will retain core functionality:
- Wemo Smart Light Switch 3-Way
- Wemo Stage Smart Scene Controller
- Wemo Smart Plug with Thread
- Wemo Smart Video Doorbell Camera
These will continue working only via Apple’s HomeKit, as they don’t rely on Wemo’s soon-to-be-defunct cloud services.
“We must focus our resources on different parts of the Belkin business,” said the company in a statement that acknowledged the disruption but offered no long-term solution for existing users.
We have long advised consumers to tread carefully in the Internet of Things (IoT) market. Key tips include:
- Think hard about whether a device truly needs to be smart or internet-connected.
- Use strong, unique passwords for all smart devices.
- Ensure automatic firmware updates are enabled or check for them manually.
- Avoid discontinued products, as they’ll lack ongoing security patches.
- Steer clear of companies with no track record—and now, perhaps even rethink your trust in ones with long histories.
“A new company has no support history… but even established brands like Belkin can leave users hanging,”…
Proprietary = Perishable
The show criticized devices built on proprietary platforms, which often become obsolete when manufacturers pull support. Instead, they recommend buying devices built on Matter, an open-source IoT standard supported by industry heavyweights like Apple, Google, Amazon, IKEA, and others. Devices built on Matter are more likely to remain functional—and supported—even if the original manufacturer bails.
“Your Wemo plug might work perfectly on January 30… and then be useless on February 1. Not because it’s broken, but because Belkin decided to walk away,”