1. News
  2. Company news
September 9, 2021

“Never trust a clown”: McDonald’s leaks Monopoly prize database credentials

By Robert Scammell

Fast-food giant McDonald’s has erroneously emailed login credentials for a database related to its Monopoly VIP competition to some of its winners in the UK.

The competition rewards loyal burger buyers with prizes that are redeemed by entering a code found on meals into a McDonald’s website. It relaunched on 25 August after a year-long, Covid-forced hiatus. Examples of prizes are cash, UK getaways, more McDonald’s food and hot tubs.

But the fast-food behemoth found itself in a pickle after sending out the email containing host names for an Azure SQL database, along with login names and passwords in plain text.

McDonald’s said no customer data was leaked from the Monopoly email marketing database.

Connor Greig, the founder of startup Creatorsphere, was the first person to report the leak to McDonald’s. He told The Register that he struggled to get through to McDonald’s security team and resorted to posting a video on TikTok to catch the Big Mac maker’s attention.

“I have emailed but I don’t have any direct contact so if someone could put me in touch that would be great because currently I have the keys to the kingdom – and I don’t want them,” he said in the short video.

Eventually, he got through and the problem was fixed.

Security researcher and creator of Have I Been Pwned? Troy Hunt also spotted the email mix up. He told Bleeping Computer that the person who shared the credential leak with him was only able to access a staging part of the database as “they had a firewall rules setup”.

It is not clear what type of information was stored in the database, but there has been speculation it contained unused codes that would have allowed someone to claim the prizes.

“Never trust a clown to secure your connection strings,” Hunt wrote on Twitter, in reference to the company’s red-headed mascot.

Not lovin’ IT

“Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties,” McDonald’s said in a statement.

“Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologise for any undue concern this error has caused.”

Security experts said the credential leak was unlikely to cause any notable damage, being more of an embarrassing slip up for McDonald’s than something to make a meal out of.

“Assuming the database is well protected from the public internet, this does not pose a critical and immediate risk, but as a mistake it is a little more embarrassing,” said Eoin Keary, CEO and founder of Edgescan. “It is assumed that database passwords etc were immediately changed after the error was discovered. Deployment security and error handling were both key in this situation.”

Paul Bischoff, privacy advocate at Comparitech, said: “The databases contained the codes and their matching prizes, not customer data, so no McDonald’s customer information was exposed in the incident. No harm, no foul, but the mistake shows that even the biggest organizations are vulnerable to cybersecurity oversights.”

It is not the first time McDonald’s has had trouble keeping data secure. In June, it detected unauthorised activity on its network that exposed the personal data of some customers in South Korea and Taiwan. Another attack could see hackers make mincemeat out of the fast food giant.