Security researchers have discovered that weak password practices and malware infections have compromised data from millions of job applicants at McDonald’s, raising concerns about Paradox.ai’s internal cybersecurity practices. Paradox.ai is an AI hiring chatbot vendor whose clients include numerous Fortune 500 companies.
McDonald’s Account Breach Revealed 64 Million Records
Researchers Ian Carroll and Sam Curry uncovered a major security lapse on McHire.com, the hiring portal used by many McDonald’s franchisees, by guessing the password for Paradox.ai’s backend system: “123456.” Their investigation revealed access to 64 million records, including job seekers’ names, phone numbers, and email addresses.
While Paradox confirmed the issue, the company stated that this was an outdated test account last accessed in 2019. They claimed the data viewed was limited to a handful of chat interactions and not full job applications. In a blog post, Paradox said the account “should have been decommissioned” and asserted no Social Security numbers were involved.
Malware Infection Exposes Internal Developer Credentials
However, leaked credentials from Paradox.ai paint a broader picture. In June 2025, a developer in Vietnam fell victim to “Nexus Stealer,” a well-known infostealer malware that harvested hundreds of credentials. These included logins for Fortune 500 client environments, as well as access to platforms such as Okta (used for SSO), Atlassian, and other developer tools.
According to data indexed by breach aggregation platforms like Intelligence X, the stolen credentials featured poor password hygiene, frequently reusing a basic 7-digit numeric password across multiple client environments, including Aramark, Lockheed Martin, Lowe’s, and Pepsi.
Modern password-cracking tools can instantly break such numeric passwords. Password strength data from Hive Systems shows that seven-digit numeric passwords offer essentially zero resistance to brute-force attacks.
SSO and MFA Were Not Enough to Prevent Risk
Paradox claims it enforced SSO with multi-factor authentication since 2020. However, the malware also stole valid authentication cookies from the developer’s device, potentially bypassing MFA entirely. One of the cookies associated with a login to paradoxai.okta.com was valid through December 2025. Other cookies tied to Atlassian accounts showed similar expiration dates.
Security experts say stolen session cookies, combined with reused weak passwords, are a potent attack vector, one capable of giving attackers deep access to sensitive systems even when MFA is in place.
Infostealers Pose Ongoing Threat
Infostealers like Nexus are now one of the leading causes of data breaches and ransomware infections. They extract not only saved passwords but also session cookies, browser history, and clipboard data. These infections often leave a remote access backdoor, and reports suggest the Paradox developer’s compromised system was later sold on underground markets.
This incident follows a similar infection in late 2024, where another Paradox employee in Vietnam lost credentials, including those to GitHub. Both compromised devices showed evidence of repeated downloads of pirated movies, often bundled with fake codec software laced with malware.
Security Certifications and Missed Penetration Tests
Paradox.ai had previously announced SOC 2 Type II and ISO 27001 certification in 2019. Yet the now-exposed McDonald’s test account with its weak credentials went unnoticed during penetration tests, despite being active since 2019.
The company said that during that time, contractors were not held to the same standards as internal staff. Paradox stated that this policy has since changed, and internal security and password requirements have been updated.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
