Usernames, passwords for database sent in prize redemption emails.
McDonald’s UK Monopoly VIP game kicked off at the end of August, and a recent round of emails sent to winners of the game’s various prizes included more than a coupon for free fries. The franchise accidentally inserted passwords for a McDonald’s server that hosted information tied to the UK Monopoly VIP game.
In the wrong hands, these credentials could have been abused to rip off players or cheat the game on a massive scale, according to experts. The gaff was spotted by researcher Troy Hunt, along with some tech-savvy winners who realized what they had.
McDonald’s said it quickly changed the server passwords when it the error was brought to its attention.
Human error, warn cybersecurity experts, is nearly impossible to mitigate against, Mohit Tiwari, CEO of Symmetry Systems told Threatpost. He said the incident should serve as a public example to firms to identify and lock down large deposits of customer data and employ zero-trust solutions.
“Modern data-store security products bring zero-trust principles to data, ensuring that there is no one point of failure and that risk-based controls monitor every access to crown-jewel data,” Tiwari said.
McDonald’s Monopoly Server Credential Email Blast
McDonald’s Monopoly VIP promotion dates back to 1987 and is a long-standing tradition among customers who buy menu items, collect tickets with codes and enter those codes on the McDonald’s site to redeem cash and prizes.
This year’s McDonald’s Monopoly game in the U.K. runs through Oct. 19.
“Collect and complete property sets to win prizes! Once you’ve completed a set, visit the website address printed on the winning game piece and enter all the property codes to claim your prize,” the company’s Monopoly VIP game site said. Make sure to keep your game pieces safe!”
But on Sept. 6, Australia-based Hunt Tweeted out a screencap of an email sent to a winner with the database passwords included in plain text.
Hunt captioned the image, “Never trust a clown to secure your connection strings.”
On TikTok another McDonald’s Monopoly VIP winner with the handle, “cretorsphereco” posted a video titled, “I don’t want these, Please answer emails McD” where he explained the credential leak and asked someone to let the fast [f]ood conglomerate know.
“Currently I have the keys to the kingdom,” he said. “And I don’t want them.”
Eventually, McDonald’s got the message because Hunt tweeted on Sept. 6 the passwords had been changed.
“As to how you end up publishing *both*your connection strings into a mass email remains a mystery,” Hunt added.
McDonald’s hasn’t responded to Threatpost’s request for comment but acknowledged the leak in a Sept. 7 statement to Bleeping Computer.
“Due to an administrative error, a small number of customers received details for a staging website by email.” McDonald’s told Bleeping Computer. “No personal details were compromised or shared with other parties. Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”
Human Error and Locking Down Data First
These types of human-related security incidents are a real threat to organizations of all sizes, according to Javvad Malik, security awareness advocate for KnowBe4 said.
“McDonalds stated that this leak was due to human error — which is a far more common occurrence than one may think,” Malik said. “It’s why it’s important that all organizations take steps to reduce the risk posed by human error. This includes having processes that involve checks so that no service goes live, or no changes are made without security assurance such as penetration testing.”
He adds all this helps generate an overall culture of security awareness.
Besides user training cybersecurity pros should first look to lock down large deposits of customer data, which are juicy targets for threat actors, Mohit Tiwari, CEO of Symmetry Systems told Threatpost.
“The knee-jerk response to such errors is to double down on application security — but perfectly securing hundreds of millions of lines of code is an impossible ask and doing surface level code scans (‘AppSec’) or asking for software bill of materials (SBOM) are extremely low-leverage activities,” Tiwari said. “In this case, protections around data can ensure that even if attackers know the database location/IP, username, and password, they are unable to use these — since data store access is confined to specific application-roles, IAM and cloud-network perimeters, etc.”
Data security tools can go deeper to monitor how applications access data, he added.