- McDonald’s recently introduced a new employment platform called Mchire
- It uses an AI-driven chatbot that collects CVs, CVS and Contact Data
- Researchers managed to easily log in to backend and get all the data stored by AI
A third -party supply chain vulnerability exposed sensitive data of 64 million people who applied for to work with McDonald’s have claimed.
The company recently introduced a new AI-driven employment platform with the permission of Partners Paradox.ai. Called from Mchire contained the Olivia, an AI-driven chatbot that screenes applicants, collects their contact information, CVS and resumes and causes them to perform a personality test.
The dedicated site, Mchire.com, had a login -link that two security researchers – Ian Carroll and Sam Curry – used to log into backend. They tried to guess the password, and after a first unsuccessful attempt (go with “admin” to both username and password fields), they succeeded on the second – using “123456” in both fields.
Connecting the hole
While it might come as a shock to some, Carroll told Cable Easy to guess passwords like this is “more common than you would think.”
Over the years, there were actually countless reports from security experts warning about the use of passwords such as “password”, “Iloveyou”, “123456”, “Qwerty” and the like.
When they reached Backend, they gained access to all the data harvested by the platform, including personally identifiable information shared in CVS and resumed: Names, E email addresses and phone numbers. A total of 64 million items were postponed.
While stealing names, e emails and phone numbers may not sound like much, cyber criminals can use it to create very compelling phishing attacks, especially by knowing that the victims applied for a job at McDonald’s at some point.
This can lead to more destructive malware and ransomware attacks, identity theft and even thread fraud.
As soon as the discovery was made, Paradox was notified and quickly connected the hole. The company told Wired that “only a fraction of the items” to which they access contained personal information and that the hole was not previously stained by anyone else.
