McDonald’s customers who won a raffle got more than they hoped for after the hamburger chain emailed them the login credentials for the development and production databases used to power the countryside.

The first person to report the error to McDonald’s, startup founder Connor Greig, said The register: “It’s a little weird,” adding that the strings of code containing the credentials appeared to have “been formatted in the email by accident”.

Like dozens of Brits across the country, Greig, founder of the Creatorsphere web platform toolkit, enjoys munching on McDonald’s meat products. One of the channel’s most recent promotions was a Monopoly-themed giveaway; diners collected tokens with their burgers and typed in promotional codes printed on them on the McDonald’s website. Maccy D’s would then email them to let them know if they had won anything or not.

Lucky winners could purchase a range of goods and services, including a free six-month subscription to NextUp Comedy, an entry-level video streaming site. So Greig was rather surprised to find a familiar-looking string of code included in an email from McDonald’s telling him about his free membership.

Talk about it with El Reg during a video call, the former Hewlett-Packard engineer said he recognized the code above the body of the email as a Windows Azure database connection string.

“This category tells me what the name of the database is,” he explained, highlighting the first line, “and that’s where the problem lies, it should be wrong. Where you mark that as true, it actually produces the credentials. And here this user ID and password are the same user ID and password for production. “

Alarmed by the implications, Greig tried to contact McDonald’s. He encountered immediate problems: The British tentacle of the American mega-corporation does not have a security.txt file on its website. Similar to robots.txt’s instructions for search engine bots, security.txt contains contact information so that those who find security breaches can contact a company’s infosec department directly.

Then he tried to phone McDonald’s head office, only, he said, to get a recorded message telling him that everyone was working from home. Then he sent just under a dozen McDonald’s UK email addresses that he could find. Nobody answered.

Frustrated, he posted a video on TikTok begging McDonald’s to respond.

A human eventually responded to his emails – accidentally copying Greig into an email describing his attempts to report the breach, under the email subject line “responsible security disclosure”, as “suspicious ”, And copying to an EU-based MSP. After some back and forth, Greig was able to speak to an infosec person who understood what was going on and was able to resolve the issue.

Troy Hunt of the Have I Been Pwned violation website also pointed out the error on Twitter after sending the emails earlier this week, and pointed it out directly to El Reg.

McDonald’s insisted in a statement that the credentials it emailed to an unknown number of customers were only for a “staging” database. The burger chain did not respond when we asked what the “ukproduction” username and password are for. He also claimed that no customer data was exposed, which seems like a bold claim to make when the database is clearly linked to an email marketing campaign.

“Data subjects will be contacted to reassure them that this is a human error and that their information remains secure. We take data privacy very seriously and apologize for any undue concerns that this error has caused. “, concluded the fast food store.

Greig noted that when viewed in the web app version of Microsoft Outlook, the email did not display the code string. He assumed that Outlook Web Access was parsing the code as part of the message headers, although Gmail (as pictured above) and other email clients rendered it in the body of the message.

It appears that someone at McDonald’s made an accidental copy and paste error while setting up automatic responses for the marketing campaign; versions of the email sent to different people and seen by The register display identical text and unique strings in the snippet.

Whatever the root cause, it seems unlikely their bosses will like it. ®