McDonald's had an applicant data leak, for a ridiculous Spaceballs reason

[thewayne]

McD's hired a company called Paradox.AI to run an "AI" chatbot to conduct hiring interviews for its restaurants. Pretty basic stuff. I'm a little unclear as to how much of the application/interview/hiring process Paradox was responsible for, but it at least conducted an online interview with the applicants.

There was a recent data spill from Paradox that exposed "64 million records, including applicants’ names, email addresses and phone numbers." That's a lot of records. Then again, McDonald's has a lot of locations and high turnover.

Security researchers were able to get in to McDonald's access portal by guessing their password. Said password?

1
2
3
4
5
6.

I guess I'd better change the combination on my luggage.

https://krebsonsecurity.com/2025/07/poor-passwords-tattle-on-ai-hiring-bot-maker-paradox-ai/


The most common passwords for 2025, thus far, are:

123456
123456789
qwerty
password
12345
12345678
111111
1234567
123123
1234567890

https://www.passwordmanager.com/most-common-passwords-latest-statistics/


Now, here's the ridiculous part: it would be pretty trivial for the programmers at Paradox to BLOCK THE USE OF PASSWORDS LIKE THIS! These are common patterns, and it would be easy to test the password and say "NO! You have to use a good password!" There are APIs that enforce good password measures, and clearly they are not using them.

Paradox should be black-listed as a company not to do business with if they allow passwords like this.

Oh, and other Paradox clients? Several Fortune 500 corps including Aramark, Lockheed Martin, Lowes, and Pepsi.

Comments

[ranunculus]

I've been on the internet since the mid-1980's. I have NEVER been dumb enough to use a password like that. A few times (early on) I've used an uncommon word teamed with a symbol for a site that was super low risk, but this breach was not just stupid but criminally stupid.

[thewayne]

Absolute insanity that someone would set up a third-party portal with a password like that.  I'd sack that person.

[arlie]

I, on the other hand, routinely use the same almost-that-bad password for any site that imposes "security" on things that don't need it. Web browsers and password safes routinely have kittens about it - large ones with lashing tails. Because of course it would be terrible if someone else played a free solitaire game on my account, or similar.

That said, I agree about McDogFood's security ineptitude. This was not a matter of things that don't matter, except perhaps from the POV from some highly entitled staffer or executive. (Who cares if our applicants' records are leaked? They're just "little people".)

[thewayne]

I have a weak password for sites that don't matter: a social media site that demands an account that I'm not likely to revisit, for example.  And I'm sure it's been compromised, and I don't care.  But for my important sites, the ones that use a credit card, those passwords are unique for each site and don't get re-used.  I have a formula that is easy for me to remember.  And I can always do a reset if I have to.  When I can, sites that want a credit card I just route through PayPal which uses 2FA through my phone: the site gets a long strong unique password and the site doesn't have my credit card info!

[ranunculus]

Some years ago there was an excellent article in Wired magazine about passwords. The author had been hacked, his bank accounts emptied and his identity stolen. The hackers first hacked a very unsecure password. At that site they got -just- enough information to up the hack to the next level. From the second, slightly more secure site they got more info. With that info they went in and reset the rest of his passwords. This was easy because the author had then used the -same- password for multiple sites. All told took the hackers perhaps 2 hours to completely wipe him out. The author said he knew he shouldn't have used the same password for multiple sites, but was complacent.
I too don't care if someone else uses my account to play cards, but I do care if they use that site as a stepping stone to hack the rest of my life.

[arlie]

It probably helps that I'm inclined to lie like a rug when creating one of those must-create-an-account-to-read-free-article or similar.

I give it a burner email address, that lasts just long enough for the account creation to be verified - deleted when the inevitable spam arrives, if not sooner. And who knows what my name, address and other demographic info look like the day I create the account.

I used to favor rude remarks about overly intrusive demands for information, along with demographics no human would believe. Then I decided I didn't need to even give them that much info. So Israel (Izzy) Forreal has been retired, in favor of semi-random combinations. Though I did enjoy signing up one time as Donald Trump, resident in Antarctica, with a semi-accurate profession.

Come to think of it, these days it's easier to let my software assign a good, unique, password along with the temporarily usable email address. But there was a time ...

[ranunculus]

My brain is just about random enough to do a good job at password creation. I've seen a random generator generate passwords that were more similar...
Somewhere there is a site that has a wrong birth date for me, exactly because I didn't want to give the correct one. It is amazing where that date turns up.

[thewayne]

I've started using such disposable emails, but not OS-generated passwords.  Perhaps I should.

[thewayne]

Interesting....

[disneydream06]

So AI reigns supreme?

I wonder how many of those other companies will be smart enough to drop them?
If it's not too late already. :o
Hugs, Jon

[silveradept]

Definitely need to change the password on your luggage, and your air shield, too, for good measure.

Test accounts with insecure credentials have got to be one of the easier ways to get into systems and poke around, and yet, they seem to still be a regular way that people get into systems and poke around. I certainly can't imagine any of the other customers of the company were happy with this poor practice.

Then again, I'm also particularly unhappy about companies that are using chatbots and administering these kinds of "personality tests" to try and weed out people who would be good to work for them, but might also have things like independent thoughts or desires to get paid better or unionize. For as much as everyone disclaims that they're not using algorithms to sift through all of the applications they receive, it certainly looks like everyone's using computers to reject people who don't meet the keywords or know the correct responses to the questions in advance. I can certainly see increased frustration for people who are right that they never get the opportunity to talk to a human and convince them of being a good person to hire, because they don't already have all the things that the computer has been trained to look for.

[thewayne]

My first job - while I was in HS - was selling cameras and audio equipment at LaBelle's.  I actually enjoyed it.  A few years later I went back to hire on for the Christmas season.  And I failed the 'personality test'.  And I decided that I'm not going to work for a company that bases hiring decisions on such pseudo-science.

[silveradept]

That's a good reason to punish a company. I think it would be lovely to punish all the companies that do this, but to successfully manage it, we'd also need enough places as alternatives, and I doubt we're there yet to be able to do the punishing on a large scale.

[thewayne]

It occurs to me that if I shun a company for using those tests, I should publish a review on Glassdoor warning others!  I need to remember that.