An error in the McDonald’s Monopoly VIP game in the U.K. resulted in the login names and passwords for the game’s database being sent to all winners.
McDonald’s U.K. relaunched its popular Monopoly VIP game on August 25 after skipping a year due to the COVID-19 pandemic. Customers can enter codes found on food purchases to have a chance of winning a prize. These prizes include £100,000 in cash, a villa in Ibiza or U.K. getaway holiday, Lay-Z Spa hot tubs, among others.
Unfortunately, the game hit a rough edge over the weekend after a bug caused the usernames and passwords for both the production and staging database servers to be included in the payout emails to the winners.
According to Troy Hunt, the email contained hostnames for Azure SQL databases as well as the login names and passwords of the databases
The winner who shared the email with Troy Hunt stated that the production server was closed off, but that they could access the staging server using the access data contained in the e-mail.
Since these databases may have contained winning codes, it could have allowed individuals to access unused game codes to claim prizes.
Fortunately for the fast-food chain, this person responsibly disclosed the problem at McDonald’s, and although they did not receive a response, they later discovered that the staging server password had been changed.
For more information, read the original story in BleepingComputer.