News & Commentary

McHire Bot leak exposes 64 million job applications 😳

Two security researchers (Ian Carroll and Sam Curry) recently flagged one McHeck of a vulnerability in McDonald’s chatbot-driven recruitment platform. 😅

McHire—the recruitment platform—exposed the PII of more than 64 million job applicants. Seems that a test account on the platform was left wide open with the default credentials (!!!) 123456:123456 in place. And they also had an API with an insecure direct object reference (IDOR) that allowed access to applicant records just by changing a number in the URL.

😮‍💨

Once they logged into the test account, the researchers had admin-level access to a test “restaurant,” complete with the data of real applicants and the ability to watch (or even participate in!!!) live chat interviews. That IDOR bug I mentioned earlier? It allowed the researchers to pull names, emails, phone numbers, addresses, and even auth tokens that let them easily impersonate users in the chat interface.

Did I mention this legacy test account hadn’t been touched since 2019?

The silver lining: Both the bot platform and McDonald’s responded quickly when the researchers got in touch. They immediately revoked access and patched up all the bugs within 24 hours. Further, the bot platform (Paradox.ai) confirmed that only one client instance was impacted and no Social Security numbers were leaked—but the issue was not identified in previous pentests.

The lesson here? Some of the biggest risks come from the simplest oversights. All it took for two security researchers to unlock access to tens of millions of applicant records was a default password and an exposed API endpoint. 😅 There’s a reason why misconfigurations continue to dominate as attack vectors: they’re common, and they often slip through the cracks.

Secure those test environments, change those default passwords, and remember that even the best pentests can miss vulnerabilities.

The National Cyber Security Centre urges folks to upgrade to Windows 11 before October 🗓️

The UK’s National Cyber Security Centre (NCSC) has issued a critical advisory that strongly encourages businesses to update to Windows 11 ASAP.

As you probably already know, Windows 10 will reach its end-of-life on October 14, 2025, so orgs around the world are now facing a decision: migrate to Windows 11, or accept some dangerous risks?

The NCSC addresses some common reservations about upgrading, one being that Windows 10 “just works,” so why bother. To that, the NCSC issues this reminder:

And…they’re not wrong, you know. 👀

I’m not trying to fearmonger—that happens enough in the wild—but I do want to flag the issue of basic cyber hygiene. Running out-of-support OS versions is inherently risky. Do with that what you will. 😅

New report finds that 70% of healthcare cyberattacks disrupt patient care 🏥

Again, we’re reminded that there’s no longer a divide between the cyber world and the real world.

A new report from Fortified Health Security reveals that 92% of healthcare organizations were targeted by cyberattacks in 2024—and 70% of those incidents impacted patient care in some way.

While many systems have gradually improved with risk assessments and response planning, legacy tech, poor risk management, and unclear responsibility remain critical weak points. The report warns that without a complete, up-to-date asset inventory and a cultural shift toward everyday vigilance, healthcare orgs remain vulnerable.

Cybersecurity in healthcare is a prime example of why the work we do as defenders is so important. It’s not just protecting data anymore; it’s protecting lives in certain industries. You can’t defend what you don’t know exists, and you can’t build a strong security posture on a weak culture. And frankly, we have a lot of work to do on both those fronts.

Sponsor

8 Common Cloud Threats to Watch for in 2025

Did you know that 35% of breaches are the result of vulnerabilities that were quickly weaponized following public disclosure?

While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.

Drawing from Wiz's detections across thousands of organizations, their research team identified eight key MITRE ATT&CK techniques used by cloud-fluent threat actors.

This report reveals some of the most common techniques attackers used to compromise cloud environments in 2024. Plus:

• Key trends across recent attacks

• Real-world case studies

• Recommendations for how your security team can defend against these threats.

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-014.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training 🤓
July Announcements

July Course Launch: Phishing!

Cori Macy’s Phishing: A Technical Course for Red Teaming is ‘Name Your Price” at only $10–$50! This hands-on course shows you step-by-step how to create your own attack infrastructure AND numerous types of campaigns inside your own dedicated, web-based lab. It’s pretty sweet, if I do say so myself. 😎

My Dark Web Course is 20% Off

My very own course, Dark Web & Cybercrime Investigations, is 20% off at only $100. Learn directly from yours truly how to uncover cybercrime. You’ll get a broad understanding of the entire underworld ecosystem, how to navigate it, as well as what your organizations or clients might expect from a Cybercrime Investigator!

JHT @ DEF CON

JHT will sponsor 4 Villages at DEF CON this year! For all updates, keep checking our Events page. Our main location will be in the IoT Village with swag and some super cool activities:

• Kick off DEF CON with me and a veryspecialsupersecret guest on the stage inside the IoT Village starting promptly at 11:20 AM on Friday, August 8 (the first day of DEF CON)

• 2 live mini-workshops (~15 minutes each) to learn the basics of IoT running constantly throughout DC

• IoT Village DC Party on Saturday, August 9 from 9 PM – midnight located at DEF CON!

JHT is also sponsoring the Red Team Village, Noob Village, and my very own Scambait Village!

Additional Releases This Month:

• CTF – The Diana Initiative 2022

• Free Upskill Challenge – Purple Teaming by Joe Brinkley

• Free Upskill Challenge – Azure Security by Carlos Polop

• Free Upskill Challenge – GCP Security by Carlos Polop

Just Hacking Training is a platform providing "Focused Technical Training for All Levels" with 60+ affordable, hands-on options in four categories: Courses, Free Upskill Challenges, Hack-Alongs and CTFs. With new content released twice a month throughout 2025, bi-monthly livestreams with me and our All-Star contributors, and even some “Name Your Price” options, JHT will advance your career regardless of experience level or budget.

Come hang out with us hackers in Discord and engage with me, our All-Star instructors, students, and the rest of our community.

Why yes, yes you all do. 🤣

To appease the Email Overlords, I ask new subscribers to reply to an email from me with their best joke (to make sure future newsletters don’t land in spam). Here are just a few of my favorites that wound up in my inbox.

This last one’s an email sign-off, not a joke, but hilarious nonetheless:

Feels like we’re in a groove with this thing! I invite you to help me shake it up.

Please reply to this email and let me know what you’re loving — and what you’d love to see in the next edition.

Thank you!