You’re a security researcher, casually browsing McDonald’s hiring website, when you notice something odd. A forgotten admin link, buried in the page source. One click later, you’re staring at a login screen. On a whim, you try the most basic credentials imaginable: username “123456”, password “123456”
That simple login didn’t just grant access to a test environment—it opened the vault to 64 million job applicants’ personal data. Names, phone numbers, emails, and something even more valuable: complete transcripts of every conversation they’d ever had with McDonald’s AI hiring chatbot.
That simple login didn’t just grant access to a test environment—it opened the vault to 64 million job applicants’ personal data. Names, phone numbers, emails, and something even more valuable: complete transcripts of every conversation they’d ever had with McDonald’s AI hiring chatbot.