Olivia, Maccas’ bot created by Paradox.ai, collects personal information, shift preferences, and administers personality tests to work hopefuls including in Australia.

But this week it was revealed willing hackers could have accessed the data of millions of people, and all of Olivia’s chats, with a simple password – 123456.

US researchers Ian Carroll and Sam Curry said they made the discovery after “a cursory security review of a few hours” and realised “the McHire administration interface for restaurant owners accepted the default credentials 123456:123456”.

“Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants,” they said.

Mr Carroll told tech news outlet Wired he and his colleague became interested in Olivia after seeing complaints about its “nonsensical answers” on Reddit.

“I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that’s what made me want to look into it more,” he said.

“So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years.”

The researchers also remarked on the “disturbing experience” of undertaking a personality test through Olivia “where we were asked if phrases like ‘enjoys overtime’ are either Me or Not Me.

“It was simple to guess that we should probably select Me for the pro-employer questions and Not Me for questions referencing being argumentative or aggressive, but it was still quite strange,” they wrote.

Paradox.ai confirmed the breach in a blog post on its website, saying Mr Carroll and Mr Curry had “reached out … about a vulnerability in our system”.

The company said a “legacy password” was used to infiltrate the system via a “test account” and stressed the issued was rectified within hours of being notified.

“We are confident that, based on our records, this test account was not accessed by any third party other than the security researchers,” it said.

“It had not been logged into since 2019 and frankly, should have been decommissioned.”

Names, email addresses, phone numbers and IP addresses from applicants were accessed, the company confirmed.

A spokesperson for McDonald’s Australia, which employs more than 100,000 Aussies, said the company was “disappointed by this unacceptable vulnerability from a third-party provider”.

“As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us,” they said.

“We take our commitment to cybersecurity seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.”

Mr Curry acknowledged that the data he and Mr Carroll was able to access was not the most sensitive, but said a phishing scam using the details “would have actually been massive”.

“It’s not just people’s personally identifiable information and resume,” he said.

“It’s that information for people who are looking for a job at McDonald’s, people who are eager and waiting for emails back.”

Originally published as Researchers expose paper thin security protecting data collected by McDonald’s AI