The fast-food chain McDonald's mistakenly sent out emails with login credentials associated with a database for its Monopoly VIP game.
McDonald's UK had to postpone the famous Monopoly VIP game for a year due to the COVID -19 pandemic. This year, on August 25th, McDonald's reintroduced the game.
McDonald's Monopoly is a well-known marketing gimmick in which customers can win gifts and money by entering codes found on purchases. Basically, every time a person purchases a meal from a McDonald's restaurant, they have a chance to win a gift.
Unfortunately, the game encountered a roadblock over the weekend when a bug resulted in prize redemption emails sent to prize winners, including the user names and passwords for the production and staging database servers.
Troy Hunt released an unredacted screenshot of an exception fault in an email issued to prize winners with BleepingComputer, which includes critical information for the online application.
The redacted email sent to a Monopoly VIP winner contained hostnames for Azure SQL databases and the databases' login names and passwords.
The prize winner who shared the email with Troy Hunt stated that the production server was firewalled off but that the staging server could be accessed using the attached credentials.
The person informed Troy Hunt in an email published with BleepingComputer, "I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup. I did however gain access to staging, which I disconnected from immediately for obvious reasons."
Since these files may have contained winning prize codes, an unethical individual might have obtained unused game codes and exploited them to claim the rewards.
Luckily for McDonald's, the individual appropriately reported the problem to them. While they did not receive a reply but later discovered that the staging server's password had been changed.
Though this was not a unique incident, as several people claimed to have seen the credentials and even went so far as to record their experience on TikTok.
McDonald's notified BleepingComputer that just the staging server's credentials were compromised, while the error clearly stated that the credentials of both a production and staging server were leaked.
In a statement, McDonald's told BleepingComputer, "Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties."
"Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”