• About
  • Disclaimer
  • Privacy Policy
  • Contact
Saturday, July 19, 2025
Cyber Defense GO
  • Login
  • Home
  • Cyber Security
  • Artificial Intelligence
  • Machine Learning
  • Data Analysis
  • Computer Networking
  • Disaster Restoration
No Result
View All Result
  • Home
  • Cyber Security
  • Artificial Intelligence
  • Machine Learning
  • Data Analysis
  • Computer Networking
  • Disaster Restoration
No Result
View All Result
Cyber Defense Go
No Result
View All Result
Home Cyber Security

Poor Passwords Tattle on AI Hiring Bot Maker Paradox.ai – Krebs on Safety

Md Sazzad Hossain by Md Sazzad Hossain
0
Poor Passwords Tattle on AI Hiring Bot Maker Paradox.ai – Krebs on Safety
585
SHARES
3.2k
VIEWS
Share on FacebookShare on Twitter


Safety researchers not too long ago revealed that the private info of tens of millions of people that utilized for jobs at McDonald’s was uncovered after they guessed the password (“123456”) for the quick meals chain’s account at Paradox.ai, an organization that makes synthetic intelligence primarily based hiring chatbots utilized by many Fortune 500 companies. Paradox.ai stated the safety oversight was an remoted incident that didn’t have an effect on its different prospects, however current safety breaches involving its staff in Vietnam inform a extra nuanced story.

A screenshot of the paradox.ai homepage exhibiting its AI hiring chatbot “Olivia” interacting with potential hires.

Earlier this month, safety researchers Ian Carroll and Sam Curry wrote about easy strategies they discovered to entry the backend of the AI chatbot platform on McHire.com, the McDonald’s web site that a lot of its franchisees use to display job candidates. As first reported by Wired, the researchers found that the weak password utilized by Paradox uncovered 64 million data, together with candidates’ names, electronic mail addresses and telephone numbers.

Paradox.ai acknowledged the researchers’ findings however stated the corporate’s different shopper situations weren’t affected, and that no delicate info — equivalent to Social Safety numbers — was uncovered.

“We’re assured, primarily based on our data, this check account was not accessed by any third social gathering apart from the safety researchers,” the corporate wrote in a July 9 weblog submit. “It had not been logged into since 2019 and albeit, ought to have been decommissioned. We wish to be very clear that whereas the researchers might have briefly had entry to the system containing all chat interactions (NOT job purposes), they solely considered and downloaded 5 chats in whole that had candidate info inside. Once more, at no level was any knowledge leaked on-line or made public.”

Nevertheless, a overview of stolen password knowledge gathered by a number of breach-tracking companies exhibits that on the finish of June 2025, a Paradox.ai administrator in Vietnam suffered a malware compromise on their machine that stole usernames and passwords for quite a lot of inner and third-party on-line companies. The outcomes weren’t fairly.

The password knowledge from the Paradox.ai developer was stolen by a malware pressure often known as “Nexus Stealer,” a type grabber and password stealer that’s offered on cybercrime boards. The knowledge snarfed by stealers like Nexus is usually recovered and listed by knowledge leak aggregator companies like Intelligence X, which studies that the malware on the Paradox.ai developer’s machine uncovered a whole bunch of principally poor and recycled passwords (utilizing the identical base password however barely completely different characters on the finish).

These purloined credentials present the developer in query at one level used the identical seven-digit password to log in to Paradox.ai accounts for plenty of Fortune 500 companies listed as prospects on the corporate’s web site, together with Aramark, Lockheed Martin, Lowes, and Pepsi.

Seven-character passwords, notably these consisting completely of numerals, are extremely susceptible to “brute-force” assaults that may attempt numerous attainable password combos in fast succession. In line with a much-referenced password energy information maintained by Hive Methods, trendy password-cracking techniques can work out a seven quantity password roughly immediately.

Picture: hivesystems.com.

In response to questions from KrebsOnSecurity, Paradox.ai confirmed that the password knowledge was not too long ago stolen by a malware an infection on the private machine of a longtime Paradox developer primarily based in Vietnam, and stated the corporate was made conscious of the compromise shortly after it occurred. Paradox maintains that few of the uncovered passwords had been nonetheless legitimate, and {that a} majority of them had been current on the worker’s private machine solely as a result of he had migrated the contents of a password supervisor from an outdated pc.

Paradox additionally identified that it has been requiring single sign-on (SSO) authentication since 2020 that enforces multi-factor authentication for its companions. Nonetheless, a overview of the uncovered passwords exhibits they included the Vietnamese administrator’s credentials to the corporate’s SSO platform — paradoxai.okta.com. The password for that account led to 202506 — presumably a reference to the month of June 2025 — and the digital cookie left behind after a profitable Okta login with these credentials says it was legitimate till December 2025.

Additionally uncovered had been the administrator’s credentials and authentication cookies for an account at Atlassian, a platform made for software program growth and undertaking administration. The expiration date for that authentication token likewise was December 2025.

Infostealer infections are among the many main causes of information breaches and ransomware assaults at this time, and so they consequence within the theft of saved passwords and any credentials the sufferer varieties right into a browser. Most infostealer malware additionally will siphon authentication cookies saved on the sufferer’s machine, and relying on how these tokens are configured thieves might be able to use them to bypass login prompts and/or multi-factor authentication.

Very often these infostealer infections will open a backdoor on the sufferer’s machine that permits attackers to entry the contaminated machine remotely. Certainly, it seems that distant entry to the Paradox administrator’s compromised machine was supplied on the market not too long ago.

In February 2019, Paradox.ai introduced it had efficiently accomplished audits for 2 pretty complete safety requirements (ISO 27001 and SOC 2 Sort II). In the meantime, the corporate’s safety disclosure this month says the check account with the atrocious 123456 username and password was final accessed in 2019, however one way or the other missed of their annual penetration exams. So how did it handle to go such stringent safety audits with these practices in place?

Paradox.ai advised KrebsOnSecurity that on the time of the 2019 audit, the corporate’s numerous contractors weren’t held to the identical safety requirements the corporate practices internally. Paradox emphasised that this has modified, and that it has up to date its safety and password necessities a number of instances since then.

It’s unclear how the Paradox developer in Vietnam contaminated his pc with malware, however a more in-depth overview finds a Home windows machine for one more Paradox.ai worker from Vietnam was compromised by comparable data-stealing malware on the finish of 2024 (that compromise included the sufferer’s GitHub credentials). Within the case of each staff, the stolen credential knowledge consists of Net browser logs that point out the victims repeatedly downloaded pirated motion pictures and tv exhibits, which are sometimes bundled with malware disguised as a video codec wanted to view the pirated content material.

You might also like

Choo Choo Select to disregard the vulnerability • Graham Cluley

Hackers Use GitHub Repositories to Host Amadey Malware and Knowledge Stealers, Bypassing Filters

Why Your Wi-Fi Works however Your Web Doesn’t (and How you can Repair It)


Safety researchers not too long ago revealed that the private info of tens of millions of people that utilized for jobs at McDonald’s was uncovered after they guessed the password (“123456”) for the quick meals chain’s account at Paradox.ai, an organization that makes synthetic intelligence primarily based hiring chatbots utilized by many Fortune 500 companies. Paradox.ai stated the safety oversight was an remoted incident that didn’t have an effect on its different prospects, however current safety breaches involving its staff in Vietnam inform a extra nuanced story.

A screenshot of the paradox.ai homepage exhibiting its AI hiring chatbot “Olivia” interacting with potential hires.

Earlier this month, safety researchers Ian Carroll and Sam Curry wrote about easy strategies they discovered to entry the backend of the AI chatbot platform on McHire.com, the McDonald’s web site that a lot of its franchisees use to display job candidates. As first reported by Wired, the researchers found that the weak password utilized by Paradox uncovered 64 million data, together with candidates’ names, electronic mail addresses and telephone numbers.

Paradox.ai acknowledged the researchers’ findings however stated the corporate’s different shopper situations weren’t affected, and that no delicate info — equivalent to Social Safety numbers — was uncovered.

“We’re assured, primarily based on our data, this check account was not accessed by any third social gathering apart from the safety researchers,” the corporate wrote in a July 9 weblog submit. “It had not been logged into since 2019 and albeit, ought to have been decommissioned. We wish to be very clear that whereas the researchers might have briefly had entry to the system containing all chat interactions (NOT job purposes), they solely considered and downloaded 5 chats in whole that had candidate info inside. Once more, at no level was any knowledge leaked on-line or made public.”

Nevertheless, a overview of stolen password knowledge gathered by a number of breach-tracking companies exhibits that on the finish of June 2025, a Paradox.ai administrator in Vietnam suffered a malware compromise on their machine that stole usernames and passwords for quite a lot of inner and third-party on-line companies. The outcomes weren’t fairly.

The password knowledge from the Paradox.ai developer was stolen by a malware pressure often known as “Nexus Stealer,” a type grabber and password stealer that’s offered on cybercrime boards. The knowledge snarfed by stealers like Nexus is usually recovered and listed by knowledge leak aggregator companies like Intelligence X, which studies that the malware on the Paradox.ai developer’s machine uncovered a whole bunch of principally poor and recycled passwords (utilizing the identical base password however barely completely different characters on the finish).

These purloined credentials present the developer in query at one level used the identical seven-digit password to log in to Paradox.ai accounts for plenty of Fortune 500 companies listed as prospects on the corporate’s web site, together with Aramark, Lockheed Martin, Lowes, and Pepsi.

Seven-character passwords, notably these consisting completely of numerals, are extremely susceptible to “brute-force” assaults that may attempt numerous attainable password combos in fast succession. In line with a much-referenced password energy information maintained by Hive Methods, trendy password-cracking techniques can work out a seven quantity password roughly immediately.

Picture: hivesystems.com.

In response to questions from KrebsOnSecurity, Paradox.ai confirmed that the password knowledge was not too long ago stolen by a malware an infection on the private machine of a longtime Paradox developer primarily based in Vietnam, and stated the corporate was made conscious of the compromise shortly after it occurred. Paradox maintains that few of the uncovered passwords had been nonetheless legitimate, and {that a} majority of them had been current on the worker’s private machine solely as a result of he had migrated the contents of a password supervisor from an outdated pc.

Paradox additionally identified that it has been requiring single sign-on (SSO) authentication since 2020 that enforces multi-factor authentication for its companions. Nonetheless, a overview of the uncovered passwords exhibits they included the Vietnamese administrator’s credentials to the corporate’s SSO platform — paradoxai.okta.com. The password for that account led to 202506 — presumably a reference to the month of June 2025 — and the digital cookie left behind after a profitable Okta login with these credentials says it was legitimate till December 2025.

Additionally uncovered had been the administrator’s credentials and authentication cookies for an account at Atlassian, a platform made for software program growth and undertaking administration. The expiration date for that authentication token likewise was December 2025.

Infostealer infections are among the many main causes of information breaches and ransomware assaults at this time, and so they consequence within the theft of saved passwords and any credentials the sufferer varieties right into a browser. Most infostealer malware additionally will siphon authentication cookies saved on the sufferer’s machine, and relying on how these tokens are configured thieves might be able to use them to bypass login prompts and/or multi-factor authentication.

Very often these infostealer infections will open a backdoor on the sufferer’s machine that permits attackers to entry the contaminated machine remotely. Certainly, it seems that distant entry to the Paradox administrator’s compromised machine was supplied on the market not too long ago.

In February 2019, Paradox.ai introduced it had efficiently accomplished audits for 2 pretty complete safety requirements (ISO 27001 and SOC 2 Sort II). In the meantime, the corporate’s safety disclosure this month says the check account with the atrocious 123456 username and password was final accessed in 2019, however one way or the other missed of their annual penetration exams. So how did it handle to go such stringent safety audits with these practices in place?

Paradox.ai advised KrebsOnSecurity that on the time of the 2019 audit, the corporate’s numerous contractors weren’t held to the identical safety requirements the corporate practices internally. Paradox emphasised that this has modified, and that it has up to date its safety and password necessities a number of instances since then.

It’s unclear how the Paradox developer in Vietnam contaminated his pc with malware, however a more in-depth overview finds a Home windows machine for one more Paradox.ai worker from Vietnam was compromised by comparable data-stealing malware on the finish of 2024 (that compromise included the sufferer’s GitHub credentials). Within the case of each staff, the stolen credential knowledge consists of Net browser logs that point out the victims repeatedly downloaded pirated motion pictures and tv exhibits, which are sometimes bundled with malware disguised as a video codec wanted to view the pirated content material.

Tags: botHiringKrebsMakerParadox.aiPasswordsPoorSecurityTattle
Previous Post

Demystifying Extremely Ethernet

Next Post

Take a look at: Perplexitys AI-webbläsare Comet – AI nyheter

Md Sazzad Hossain

Md Sazzad Hossain

Related Posts

Cyber Security

Choo Choo Select to disregard the vulnerability • Graham Cluley

by Md Sazzad Hossain
July 18, 2025
Hackers Use GitHub Repositories to Host Amadey Malware and Knowledge Stealers, Bypassing Filters
Cyber Security

Hackers Use GitHub Repositories to Host Amadey Malware and Knowledge Stealers, Bypassing Filters

by Md Sazzad Hossain
July 17, 2025
The Carruth Knowledge Breach: What Oregon Faculty Staff Must Know
Cyber Security

Why Your Wi-Fi Works however Your Web Doesn’t (and How you can Repair It)

by Md Sazzad Hossain
July 17, 2025
How Fidelis Integrates Detection and Response for SQL-Based mostly Exploits
Cyber Security

How Fidelis Integrates Detection and Response for SQL-Based mostly Exploits

by Md Sazzad Hossain
July 16, 2025
How India’s DPDP Act Impacts Digital Lending
Cyber Security

How India’s DPDP Act Impacts Digital Lending

by Md Sazzad Hossain
July 16, 2025
Next Post
Take a look at: Perplexitys AI-webbläsare Comet – AI nyheter

Take a look at: Perplexitys AI-webbläsare Comet - AI nyheter

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Construct agentic techniques with CrewAI and Amazon Bedrock

Construct agentic techniques with CrewAI and Amazon Bedrock

March 31, 2025
Cisco Assist Companies Enters its GenAI Period

Cisco Assist Companies Enters its GenAI Period

January 17, 2025

Categories

  • Artificial Intelligence
  • Computer Networking
  • Cyber Security
  • Data Analysis
  • Disaster Restoration
  • Machine Learning

CyberDefenseGo

Welcome to CyberDefenseGo. We are a passionate team of technology enthusiasts, cybersecurity experts, and AI innovators dedicated to delivering high-quality, insightful content that helps individuals and organizations stay ahead of the ever-evolving digital landscape.

Recent

Introducing the Low-Price CX150 Analog Area Tester for Public Security Radios

Introducing the Low-Price CX150 Analog Area Tester for Public Security Radios

July 19, 2025
Take a look at: Perplexitys AI-webbläsare Comet – AI nyheter

Take a look at: Perplexitys AI-webbläsare Comet – AI nyheter

July 19, 2025

Search

No Result
View All Result

© 2025 CyberDefenseGo - All Rights Reserved

No Result
View All Result
  • Home
  • Cyber Security
  • Artificial Intelligence
  • Machine Learning
  • Data Analysis
  • Computer Networking
  • Disaster Restoration

© 2025 CyberDefenseGo - All Rights Reserved

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In