McDonald’s Erroneously Leaked Credentials to Monopoly VIP Database Customers

McDonald’s recently made a blunder when sending emails to prize winners. What McDonald’s now confirmed as a human error exposed credentials to the Monopoly VIP Game database to all email recipients.

McDonald’s Leaked Monopoly VIP Database Credentials

Reportedly, McDonald’s UK has recently launched its Monopoly VIP game for the consumers. This game lets users win prizes by entering codes mentioned on food items they purchase. These prizes include some hefty rewards such as an Ibiza villa, a UK getaway holiday, or even a cash prize of £100,000.

The restaurant informs the prize winners via emails, an otherwise normal activity that went wrong lately. As noticed by the recipients, the emails included the login credentials for the staging and development database of the McDonald’s Monopoly VIP game.

According to the screenshots shared by the Bleeping Computer and Troy Hunt, the emails included hostnames for Azure SQL databases with login usernames and passwords in the plain text due to an exception error.

Eventually, one of the recipients could verify the glitch as entering the login credentials could establish a connection with the staging server. As that user told Troy Hunt,

I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup…
I did however gain access to staging, which I disconnected from immediately for obvious reasons.

McDonald’s Addressed The Glitch

Upon discovering the matter, the user responsibly disclosed the matter to McDonald’s, following which they addressed the matter. Although they didn’t respond to that, the user could observe the change of password shortly after.

Nonetheless, McDonald’s has admitted the glitch to Bleeping Computer, explaining that it happened due to a human error. Also, they confirmed the glitch to have affected their staging server only.

Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties.
Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologise for any undue concern this error has caused.

Let us know your thoughts in the comments

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients