Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
The bug allowed for the login names and passwords of the game’s database to be sent to all winners.
The COVID -19 pandemic made McDonald’s UK skip a year in organizing the popular Monopoly VIP game.
This year Mcdonald’s brought back the game on August 25th. In the game customers can enter codes they found on purchase food items for the chance to win a prize.
The prizes were £100,000 in cash, an Ibiza villa or UK getaway holiday, Lay-Z Spa hot tubs, and more.
What Happened?
It seems that the game faced some issues over the weekend when a bug caused the user name and passwords for the production and staging database servers to be leaked in the prize redemption emails sent to the prize winners.
BleepingComputer received a screenshot of the email sent to prize winners that shows an exception error and therefore is including sensitive information like the hostnames for Azure SQL databases and the databases’ login names and passwords.
The receiver of the email that shared the screenshot with Troy Hunt said that the production server was firewalled off but that they could access the staging server using the included credentials.
I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter but luckily for them they had a set of firewall rules setup.
I did however gain access to staging, which I disconnected from immediately for obvious reasons.
McDonald’s was lucky in this specific situation as the person that discovered the situation disclosed in a responsible manner the issue with McDonald’s. The company changed the password for the staging server soon after finding out.
Never trust a clown to secure your connection strings 🤡 pic.twitter.com/BWJ70TqNnw
— Troy Hunt (@troyhunt) September 6, 2021
It looks like this wasn’t an isolated issue, as other users also saw the credentials and shared their experience on TikTok.
McDonald’s declared that only the staging server was exposed.
Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties.
Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologise for any undue concern this error has caused.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.
