McDonalds Exposes Databases Credentials to Monopoly Game Winners

In another blatant example of misconfigured web services, McDonalds recently exposed the database name and login credentials for its Monopoly Game in the UK to all winners who received email notifications.

What Happened?

Due to Covid-19, McDonalds UK postponed its popular Monopoly game where restaurant visitors receive codes on food items to enter to win great prizes like vacation trips, an Ibiza villa, £100,000 in cash, hot tubs, and more.

However, they restarted the game again on August 25, 2021, and according to Bleeping Computer McDonalds inadvertently leaked the database name and credentials for both the production and staging server in an email to all prize winners this past weekend. An exception error caused the issue. Although the information was exposed through a bug, it could have been prevented by tweaking the server configuration.

Initially, a prize winner sent the un-redacted email to Troy Hunt of the HaveIBeenPwned website. The email showed an exception error with the name of the databases and the usernames and passwords to log in.

Bleeping Computer specified that,

“This information included hostnames for Azure SQL databases and the databases’ login names and passwords, as displayed in the redacted email below sent to a Monopoly VIP winner.”

Wide Open for Fraud

The winner, who had knowledge of the technologies tried to log in using the credentials but told Mr. Hunt that a firewall-protected the production server. However, they were able to log in and access the staging server without any issue.

The user said,

“I tried to connect to production to gauge the severity of the issue and whether or not getting in touch was an urgent matter, but luckily for them, they had a set of firewall rules set up.”

the winner continued,

“I did, however, gain access to staging, which I disconnected from immediately for obvious reasons.”

The immediate danger was not just exposing the login credentials but also that the information could have been used to cheat and claim additional prizes. Another issue is that the database could contain personal data for the game players and therefore expose them to identity theft or fraud.

How did McDonalds Respond?

Although the person who alerted the restaurant giant did not hear back, the password for the staging server was quickly changed. Unfortunately, some other winners shared the email on the TikTok platform.

Bleeping Computer commented that,

“While the error clearly stated that both a production and staging server’s credentials were leaked, McDonald’s told Bleeping Computer that it was only the staging server that was exposed.”

However, McDonalds did respond directly to Bleeping Computer with this comment.

“Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties.”

“Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”

Website Configuration Issues - The Cause for Many Data Breaches

Simple misconfigurations are often the cause of many data breaches. Web hosting servers contain all the necessary components to properly secure your website, including “hiding” and not exposing database names and credentials when something goes wrong. 

These days it is unthinkable that anyone doesn’t take the time to secure all web and cloud-based solutions against any exposure or unauthorized access. Hackers are already working overtime these days; we don’t need to make their jobs easier.

Companies the size of McDonalds have no excuse for not properly securing their online services, even for just a game with winner information. Perhaps this incident will be a helpful lesson for others.