July 16, 2025

McDonald’s McHire AI breach proves our MFA findings

Table of Contents
Introduction

Security researchers Ian Carroll and Sam Curry guessed an admin password “123456.” In minutes they accessed 64 million job‑applicant chats on McDonald’s McHire platform, run by Paradox.ai’s Olivia AI chatbot, said a report in Wired

One sloppy credential turned a helpful recruitment bot into a headline data breach. The vendor, Paradox.ai, patched the hole within hours, but the incident is a case‑study in everything our H1 2025 Cloud Compliance Pulse warns about.

Let’s take a closer look:

Violation 1: Password‑only admin vs 68% MFA gap

Our benchmark shows 68% of tenants let privileged accounts skip MFA. The McHire breach is that statistic made real—the admin account for Olivia had no second factor, proving how often a basic password flaw still topples security.

Violation 2: One weak password, many doors

The report also found 40 control failures per tenant on average . If “123456” existed, chances are other vulnerabilities lurk in the same stack - unused keys, over‑broad roles - exactly the “unlocked doors” our data warns about.

Violation 3: Four basics behind 70% of issues

70% of high‑severity findings come from just four gaps: missing MFA, over‑privilege, stale or duplicate credentials, and unmanaged service‑account keys. Olivia broke two of the four at once: no MFA and a god‑mode admin role.

Carroll & curry echo our casebook

The McHire hack mirrors other 2025 breaches, like Jaguar Land Rover’s Jira‑admin compromise. Different sectors, same playbook: steal or guess a single high‑power credential and drain applicant data or IP.

Close the gaps before next chatbot breach

Cybersecurity teams, and every HR owner of an AI chatbot, can slash risk fast:

  1. Enforce MFA on every privileged login (ISO 27002 - 5.17).
  2. Replace standing admins with just‑in‑time elevation.
  3. Rotate & vault keys older than 30 days.

Next week we’ll release the full H1 2025 Cloud Compliance Pulse, breaking down the data by provider, sector, and region. 

When was the last time your organisation audited default credentials across all the SaaS and AI tools in its hiring, marketing, or finance stack? How many “Olivias” might be smiling at attackers behind the scenes?

Explore our other blogs

Forty unlocked doors: Hidden compliance risks in every cloud
No items found.
July 17, 2025

Forty unlocked doors: Hidden compliance risks in every cloud

Read more
Microsoft’s July 2025 Patch Tuesday: Urgent fixes for cloud and identity security
No items found.
July 9, 2025

Microsoft’s July 2025 Patch Tuesday: Urgent fixes for cloud and identity security

Read more
Identity vs credentials: A manager’s guide to protecting every identity
No items found.
June 27, 2025

Identity vs credentials: A manager’s guide to protecting every identity

Read more
View all Blogs

Don’t let hidden identities cost
you millions

Discover and lock down human & NHI risks at scale—powered by AI, zero breaches.