McDonald's UK Monopoly promotion accidentally send customers their production and staging database credentials in email

[connorgre1g]

I'm the original source, and thought it be interesting to see what you all have to say. Since there has been ample time to fix this disclosure, I'm happy to discuss.

 

Summary

Over the weekend, a few customers, like myself, received emails when claiming a win for Monopoly from McDonald's with the login credentials for their databases. Image attached.

 

Quote

Quote

Talking it through with El Reg on a video call, the one-time Hewlett-Packard engineer said he recognised the code above the email body text as a Windows Azure database connection string.

 

"This category is telling me what the database name is," he explained as he highlighted the first line, "and this 'persists security info true' is where the issue is, this should be false. Where you mark that as true, it actually outputs the credentials. And right here, this user ID and password is the same user ID and password for production."

 

Alarmed by the implications, Greig tried to get in contact with McDonald's. He ran into immediate problems: the US megacorp's UK tentacle doesn't have a security.txt file on its website. Similar to robots.txt's instructions for search engine crawlers, security.txt contains contact details so people finding security vulnerabilities can directly contact a company's infosec department.

 

My thoughts

Well this isn't ideal is it? Does anyone know how this has happened on such a bad scale? Does your organisation have a decent reporting method?

 

Sources

https://www.theregister.com/2021/09/09/mcdonalds_database_credentials_blunder/

https://www.tiktok.com/@creatorsphereco/video/7004526492055014661?is_copy_url=1&is_from_webapp=v1

https://twitter.com/troyhunt/status/1435015619045257222

[nich99]

16 minutes ago, connorgre1g said:

with the login credentials for their databases

If thats true than long into their databases

[emosun]

"Non tech company screws up something tech related"

Could be a copy paste headline these days.

[Fasterthannothing]

9 minutes ago, valdyrgramr said:

https://www.bleepingcomputer.com/news/security/mcdonalds-leaks-password-for-monopoly-vip-database-to-winners/

I'm not seeing anything with proof this was their production DB keys he couldn't even gain access past the FW so the title is extremely misleading. The only thing actually compromised was a poorly secured staging DB.

[connorgre1g]

11 minutes ago, SlidewaysZ said:

I'm not seeing anything with proof this was their production DB keys he couldn't even gain access past the FW so the title is extremely misleading. The only thing actually compromised was a poorly secured staging DB.

 

I mean, they acknowledged that the credentials were live. Just because they are live, doesn't necessarily mean they can be used because of the FW. The title remains true and accurate reflection of the events "accidentally send customers their production and staging database credentials in email"

[Belgarathian]

6 hours ago, emosun said:

"Non tech company screws up something tech related"

Could be a copy paste headline these days.

Just because their primary product isn't tech related, doesn't mean that McDonalds doesn't contract out their tech to someone who should know better, or employ hundreds of people to manage their technology, networks and infrastructure, who should also know better. 

 

If this was a mum and dad job with 15 employees it might be excusable, but it's not.

[j.son19]

50 minutes ago, Belgarathian said:

Just because their primary product isn't tech related, doesn't meant that McDonalds doesn't contract out their tech to someone who should know better

yep they certain have the money for it 

[emosun]

4 hours ago, Belgarathian said:

Just because their primary product isn't tech related, doesn't mean that McDonalds doesn't contract out their tech to someone who should know better, or employ hundreds of people to manage their technology, networks and infrastructure, who should also know better. 

 

If this was a mum and dad job with 15 employees it might be excusable, but it's not.

I'd argue the latter but honestly if in your mind taco bell and arbys are the pinnacle of cyber security then idk why i'd spend time typing it.

[Belgarathian]

53 minutes ago, emosun said:

I'd argue the latter but honestly if in your mind taco bell and arbys are the pinnacle of cyber security then idk why i'd spend time typing it.

No, you're right. McDonalds, who spent more than USD $1b on technology in FY2020 and believes that digital innovation is a key driver to their growth, hasn't considered cyber security and industry best-practices. 

 

/sarcasm

[emosun]

2 hours ago, Belgarathian said:

No, you're right. McDonalds, who spent more than USD $1b on technology in FY2020 and believes that digital innovation is a key driver to their growth, hasn't considered cyber security and industry best-practices. 

 

/sarcasm

and everyone knows money spent = technical know how

you gotta make that icecream machine repair scam cut go somewhere. Might as well dump it into software that makes the thing break 15 times a year

[connorgre1g]

They outsource parts of their IT to an SME MSP out of Croatia and other CEE locations. 
 

This was a failure on both the MSP and the internal dev teams.

[avg123]

So any chance of getting free burgers for life using these credentials??

[HarryNyquist]

Speaking as a dev that works with SQL Server connection strings constantly, I have to ask the question:

 

HOW DOES A CONNECTION STRING END UP IN A FUCKING EMAIL

HOW DO YOU DO THAT

HOW ABSOLUTELY INCOMPETENT CAN YOU EFFING BE

[Quackers101]

12 minutes ago, HarryNyquist said:

Speaking as a dev that works with SQL Server connection strings constantly, I have to ask the question:

 

HOW DOES A CONNECTION STRING END UP IN A FUCKING EMAIL

HOW DO YOU DO THAT

HOW ABSOLUTELY INCOMPETENT CAN YOU EFFING BE

it was a mcducking terrorist attack, oh never mind just pressed the wrong button.

[connorgre1g]

On 9/11/2021 at 6:58 AM, avg123 said:

So any chance of getting free burgers for life using these credentials??

 

No comment.

 

On 9/11/2021 at 2:58 PM, HarryNyquist said:

Speaking as a dev that works with SQL Server connection strings constantly, I have to ask the question:

 

HOW DOES A CONNECTION STRING END UP IN A FUCKING EMAIL

HOW DO YOU DO THAT

HOW ABSOLUTELY INCOMPETENT CAN YOU EFFING BE

 

To quote you, it would be perhaps someone who is "INCOMPETENT". 

 

On 9/11/2021 at 3:12 PM, Quackers101 said:

it was a mcducking terrorist attack, oh never mind just pressed the wrong button.

 

:shrug: