McDonald’s AI Hiring Tool Breach A Wake-Up Call for Non‑Human Identity Security

The Flaw: McHire’s AI Bot + a Password of “123456”

In June 2025, researchers Ian Carroll and Sam Curry uncovered a vulnerability in McDonald’s AI-powered hiring platform, McHire, exposing sensitive data from an estimated 64 million job applicants. McHire’s AI chatbot, “Olivia,” designed to screen applicants efficiently, was the weak point in the system due to a weak default username “123456” and password “123456”.

This default credential gave the researchers, administrator access to live hiring data, including full applicant names, contact information, and chat transcripts. Once inside, they discovered an insecure direct object reference (IDOR) vulnerability that allowed them to enumerate applicant IDs and retrieve their records sequentially.

Attackers exploiting such access could have launched targeted phishing campaigns, using applicant data for social engineering or identity theft. McDonald’s response was swift once notified. The default credentials were disabled, and the API flaw was patched. But the breach highlighted a larger issue, poor management of non-human identities like service accounts, bots, and API keys.

In today’s cloud-native world, where non-human accounts often outnumber human identities by 20:1, these overlooked credentials and privileges pose a growing threat.

This article examines the breach, its implications, and actionable lessons for organizations adopting AI technologies to strengthen their identity security.

‍

Why This Breach Matters

The consequences of the McDonald's breach extended beyond the immediate exposure of applicant data. The compromised records included personally identifiable information (PII) such as names, email addresses, and phone numbers, creating a risk of identity theft and fraud for millions of individuals.

For McDonald's, the breach damaged customer trust and undermined the brand's reputation as a secure employer. Additionally, the company faced potential legal and regulatory repercussions under data protection laws such as GDPR, which could result in substantial fines.

This incident serves as a cautionary tale for organizations adopting AI solutions. Notably, enterprise AI adoption grew by 187% between 2023-2025, while security spending increased by only 43% during the same period, creating a significant security deficit across industries.

‍

Best Practices to Minimize the Risk of NHI Exposure

The McHire incident is just one example of how non-human identities can become the weakest link in an otherwise secure system. Here are key practices organizations should adopt to avoid similar breaches:

1. Treat Non-Human Identities as first-class citizens: Service accounts, API keys, and AI bots need to enforce strong, unique passwords wherever possible and keep being rotated. Default credentials should be changed immediately upon deployment.

2. Eliminate default and hard-coded credentials: Default logins and hard-coded secrets are prime targets for attackers. In McHire’s case, a simple “123456” password exposed millions of records. Adopt a policy of credential vaulting and automated secret rotation to keep credentials secure and up to date.

3. Federate and adopt strong authentication methods when possible: Where possible, federate non-human identity accounts, require mutual TLS or workload identity federation, and replace long-lived static secrets with short-lived tokens.

4. Maintain a comprehensive NHI Inventory: Organizations must have visibility into all non-human identities in their environments. Every AI bot, API key, and service account should be tracked, with clear ownership assigned to a team or individual. This prevents orphaned accounts, like McHire’s test admin, from lingering unnoticed.

5. Monitor and audit Non-Human Identities continuously: Regularly scan code repositories, cloud storage, and configuration files for exposed secrets. Monitor NHI activity for unusual patterns, such as privilege escalations or access to sensitive resources. Quick detection and response can reduce the blast radius if a credential is compromised.

‍

How Oasis NHI Security Cloud can help

Oasis Security addresses the unique challenges of managing Non-Human Identities, enabling organizations to prevent breaches like the McDonald's AI hiring tool incident. Our platform is designed to deliver comprehensive NHI security through advanced discovery, governance, and threat detection capabilities.

• Agentless discovery of all Non-Human Identities (NHIs): Our platform automatically identifies and inventories NHIs across cloud, SaaS, and on-premises environments. This provides a single, centralized view of all identities, ensuring complete visibility and control.
• Policy-driven orchestration: We automate credential management, including secure rotation and decommissioning. By enforcing lifecycle policies, we minimize the risk of credential misuse while simplifying operations.
• Automated threat detection (ITDR) for compromised NHI usage: Our solution continuously monitors NHI activity for anomalies, such as unusual access patterns or privilege escalations. Real-time alerts enable rapid detection and response, protecting systems from advanced threats.

The McDonald's breach highlights the critical need for robust NHI security. Our platform is purpose-built to address these challenges, empowering organizations to secure their identities, protect sensitive data, and prevent breaches. Request a demo today to learn how Oasis Security can help your enterprise strengthen its Non-Human Identity management.