What personal information of job applicants was exposed in the Paradox.ai security breach?

The breach exposed millions of records including applicants' names, email addresses, and phone numbers.

Which malware strain was used to steal password data from Paradox.ai?

The information was stolen by a malware strain known as 'Nexus Stealer'.

What security standards has Paradox.ai successfully completed audits for?

Paradox.ai has successfully completed audits for ISO 27001 and SOC 2 Type II.

Which company's website was Paradox.ai's test account found on during the security breach?

Paradox.ai's test account was found on McHire.com, McDonald's website for screening job applicants.

Paradox.ai Security Breach Exposes Millions of Job Applicants' Data

A weak password led to a security breach at Paradox.ai, an AI-based hiring chatbot company used by Fortune 500 firms, exposing sensitive data of 64 million job applicants.

A recent security breach at Paradox.ai, a company that makes artificial intelligence-based hiring chatbots used by many Fortune 500 firms, has exposed millions of job applicants' personal information. The incident highlights the importance of robust password management and multi-factor authentication in protecting sensitive data.

What Happened

Security researchers Ian Carroll and Sam Curry recently discovered that a weak password ("123456") used by Paradox.ai's test account on McHire.com, McDonald's website for screening job applicants, exposed 64 million records. The records included applicants' names, email addresses, and phone numbers.

Paradox.ai acknowledged the researchers' findings but claimed that the security oversight was an isolated incident that did not affect its other customers. However, a review of stolen password data gathered by multiple breach-tracking services revealed that at the end of June 2025, a Paradox.ai administrator in Vietnam suffered a malware compromise on their device.

The password data from the Paradox.ai developer was stolen by a malware strain known as "Nexus Stealer," a form grabber and password stealer sold on cybercrime forums. The information snarfed by stealers like Nexus is often recovered and indexed by data leak aggregator services like Intelligence X, which reports that the malware on the Paradox.ai developer's device exposed hundreds of mostly poor and recycled passwords.

Background and Context

Paradox.ai makes artificial intelligence-based hiring chatbots used by many Fortune 500 firms. The company has been in the news recently for its security practices, or lack thereof. In February 2019, Paradox.ai announced it had successfully completed audits for two comprehensive security standards (ISO 27001 and SOC 2 Type II).

However, a review of stolen password data gathered by multiple breach-tracking services shows that at the end of June 2025, a Paradox.ai administrator in Vietnam suffered a malware compromise on their device. The results were not pretty.

Why it Matters to the Industry

The recent security breach at Paradox.ai highlights the importance of robust password management and multi-factor authentication in protecting sensitive data. In the adult industry, where sensitive information is often shared, security breaches can have severe consequences.

According to a much-referenced password strength guide maintained by Hive Systems, modern password-cracking systems can work out a seven-number password more or less instantly. Seven-character passwords, particularly those consisting entirely of numerals, are highly vulnerable to "brute-force" attacks that can try a large number of possible password combinations in quick succession.

What Comes Next

Paradox.ai has confirmed that the password data was recently stolen by a malware infection on the personal device of a longtime Paradox developer based in Vietnam. The company maintains that few of the exposed passwords were still valid, and that a majority of them were present on the employee's personal device only because he had migrated the contents of a password manager from an old computer.

Paradox also pointed out that it has been requiring single sign-on (SSO) authentication since 2020 that enforces multi-factor authentication for its partners. However, a review of the exposed passwords shows they included the Vietnamese administrator's credentials to the company's SSO platform — paradoxai.okta.com.

Key Facts

The weak password "123456" used by Paradox.ai's test account on McHire.com exposed 64 million records, including applicants' names, email addresses, and phone numbers.
A review of stolen password data gathered by multiple breach-tracking services revealed that at the end of June 2025, a Paradox.ai administrator in Vietnam suffered a malware compromise on their device.
The password data from the Paradox.ai developer was stolen by a malware strain known as "Nexus Stealer," a form grabber and password stealer sold on cybercrime forums.
Paradox.ai has been requiring single sign-on (SSO) authentication since 2020 that enforces multi-factor authentication for its partners.
The exposed passwords included the Vietnamese administrator's credentials to the company's SSO platform — paradoxai.okta.com.

In conclusion, the recent security breach at Paradox.ai highlights the importance of robust password management and multi-factor authentication in protecting sensitive data. The adult industry can learn from this incident and take steps to ensure that their own security practices are up-to-date and effective.