Security News > 2021 > September > McDonald's email blunder broadcasts database creds to comedy competition winners
McDonald's customers who won a prize draw competition got more than they hoped for after the burger chain emailed them login credentials for development and production databases used to power the campaign.
The first person to report the blunder to McDonald's, startup founder Connor Greig, told The Register: "It's a bit weird," adding that code strings containing the credentials looked as if they had "Been formatted into the email by accident."
Maccy D's would then email them saying whether they'd won something or not.
Talking it through with El Reg on a video call, the one-time Hewlett-Packard engineer said he recognised the code above the email body text as a Windows Azure database connection string.
A human eventually replied to his emails - by accidentally copying Greig into an email that described his attempts to report the breach, under the email subject line "Responsible security disclosure", as "Suspicious", and copying in an EU-based MSP. After some to-ing and fro-ing, Greig was able to speak to an infosec person who understood what was going on and was able to get the problem fixed.
McDonald's insisted in a statement that the credentials it emailed to an unknown number of customers were only for a "Staging" database.