Security researchers recently revealed that personal information of millions who applied for the job McDonald’s He exposed after estimating the password (“123456”) for the account of fast food chain Paradox.aiA company that creates artificial intelligence based hiring chatbots used by several Fortune 500 companies. Paradox.ai said security inspection was a separate incident that did not affect its other customers, but recently the safety violations who involved their employees in Vietnam told a more fine story.
A screenshot of paradox.ai homepage shows its AI hiring chatboat “Olivia” interacting with potential rent.
Earlier this month, security researchers Ian Carroll And Sam curry Wrote about They found simple ways to reach the backnd of AI Chatbot platform on McDonald’s website mchire.com, which uses many of its franchises for screen job applicants. As reported earlier WireResearchers found that the weak password used by Paradox exposed 64 million records, including applicants’ names, email addresses and phone numbers.
Paradox.ai acknowledged the findings of the researchers, but said other customers of the company were not affected, and that no sensitive information – such as social security numbers – was exposed.
The company wrote, “We are confident that this test was not accessed by any third party other than the account security researchers,” the company has written. 1 July 9 Blog Post“It was not logged in from 2019 and should have been clearly, disintegrated. We want to be very clear that the researchers could have access to a system containing all chat interactions (job applications) in briefly, they only downloaded and downloaded a total of five chats which were within the candidate’s information. Still, no data was made online.”
However, a review of stolen password data collected by several brech-tracking services suggests that in late June 2025, a contradiction in Vietnam. The results were not beautiful.
Password data from paradox.ai developer was stolen by a malware strain known as “”Nexus steeler, Intelligence xWhich reports that the malware on the device of Paradox.ai developer mostly highlighted the poor and recycled passwords (using the same base password but at the end using slightly different characters).
Those purloined credentials show the developers in the question at one point. Used the same seven-conductive passwords at one point. Fortune 500 firms listed as customers on the company’s websiteInvolved Aramark, Lockheed Martin, LowesAnd Pepsi.
The seven-caste passwords, especially consisting of the digits, are highly unsafe for “brut-forces” attacks that can try a large number of potential password combinations in quick succession. As A multi-female password power guide maintained by Hive systemModern password-revolving system can work more or less immediately a seven-number password.
Pictures: hivesystems.com
In response to the questions of krebsonsecurity, Paradox.ai confirmed that password data was recently stolen by a malware infection on a prolonged contradiction developer’s individual equipment, and said that the company was discovered about the agreement shortly after. Paradox says that some of the exposed passwords were still valid, and most of them were present on the personal equipment of the employee only because they migrated the content of the password manager from an old computer.
Paradox also stated that it requires a single sign-on (SSO) certification since 2020 that applies multi-factor authentication to its partners. Nevertheless, a review of exposed passwords shows that they include the credibility of the Vietnamese administrator at the company’s SSO platform – paradoxai.okta.com. The password for that account ended in 202506 – possibly a reference of the month of June 2025 – and digital cookie left behind after a successful Okta login with those credentials, saying it was valid until December 2025.
Apart from this, the credibility and certification of the administrator for an account was cookies. AtlasA platform designed for software development and project management. The expiration date for that certification token was similarly December 2025.
Infostealer infections are among the major causes of data violations and ransomware attacks today, and they are in a browser suffering from stored passwords and the theft of any credentials. Most infostealer malware will also cord the authentication cookies stored on the victim’s device, and how those tokens have been configured, it depends on that thieves may be able to use them to bypass login prompts and/or multi-factor authentication.
Often this infostealer will open a back door on the device of the infection that allows the attackers to access the infected machine remotely. Indeed, it seems that the remote access of the contradiction of the contradiction administrator for sale was offered recently.
In February 2019, Paradox.ai Announced It successfully completed the audit for two quite comprehensive safety standards (ISO 27001 and SOC 2 type II). Meanwhile, the company’s safety disclosure this month says that the tested account with the tyrannical 123456 user names and passwords was finally accessed in 2019, but somehow missed their annual penetration tests. So how did it manage to pass such a stringent security audit with these practices?
Paradox.ai told krebsonsecurity that at the time of 2019 audit, various contractors of the company were not placed on the same safety standards that the company practiced internally. Contraindications stressed that it had changed, and has updated its safety and password requirements many times since then.
It is not clear how the contradiction developer in Vietnam infected his computer with malware, but a close review finds a Windows device for another contradiction. An employee from Vietnam was compromised by a similar data-chori malware at the end of 2024 (including the agreement, which included the victim’s githib credentials). In the case of both employees, stolen credential data includes the web browser logs who download the victims repeatedly pirated films and television shows, which are often bundled with a video codec required to watch pirated materials.
