McDonald's Hacked and Customer Data Stolen

An anonymous reader writes "McDonald's servers were recently compromised and hackers were able to get access to customers' e-mail addresses, names, addresses, phone numbers, birth dates, genders, as well as certain information about their promotional preferences and Web information interests. The sites affected were: McDonalds.com, 365Black.com, McDonalds.ca, mcdonaldsmom.com, mcdlive.com, monopoly.com, playatmcd.com, and meencanta.com. The restaurant chain is warning customers to be cautious of anyone claiming to be from McDonald's contacting them by phone or e-mail, and asking for personal or financial information. McDonald's has also set up a FAQ page for affected customers with 13 questions and their corresponding answers." Update by KD : Weld Pond tweets: "Silverpop email marketer owned. Was email subcontractor for McDonalds and DevientART (13M users) and 105 other orgs."

And all the e-mails said...

[turbclnt]

I can has cheezburger?

Re:

[Jawnn]

I can has cheezburger?

You can has all cheezburgers.

Wait...

[Locke2005]

Why would any sane person possibly give McDonald's all their personal information in the first place?

Re:Wait...

[wowbagger]

"Why would any sane person possibly give McDonald's any of their personal information in the first place?"

Fixed that for you.

It's a damn burger, not a car - it's not like I have to finance the damn thing! I hand you money, you hand me something that, under bad light, might pass for food.

The closest they might get is if I charge the burger, and even then, all they get is a confirmation code from my credit card.

Re:Wait...

[DarkOx]

I'd gladly pay you Tuesday for a hamburger today.

Re:

[Dthief]

I wouldn't.......if it was from McD's

Re:Wait...

[MobileTatsu-NJG]

Your grasp of that joke was Wimpy.

Re:

[Cwix]

*golf clap*

Re:

[MysteriousPreacher]

In and Out is a very unfortunate name for any place serving food. You're right about Wendy's. Shame they pulled out of Europe.

Re:Wait...

[Jaysyn]

A bit pricey, but Five Guys has the best fast-food burger I've ever eaten.

Re:

[Aceticon]

FYI - it's a quote from Wimpy, a burger-addicted character from the Popeye the Sailorman [wikipedia.org] cartoon

(damn, I'm showing my years here)

Re:

[geekoid]

Contests.

Re:

[SeaFox]

It's a damn burger, not a car...

The information might have been linked to the Monopoly game since this round was done online. No paper game boards customers affixed pieces to. And in the past prizes in the Monopoly games have actually included cars.

Re:

[pspahn]

Yes, billions served, but they leave out how many people were actually affected. Sure, it makes sense to not disclose that number, but I'd bet it is embarrassingly small.

Re:Wait...

[Applekid]

1) Order
2) Pay
3) Receive 'food'
4) Consume 'food'
5) Regret eating 'food'
6) Spend more time on the throne than I would have liked to.

It's step #2 that's the issue. People can be coerced into providing all sorts of information if you promise to send them coupons. I personally think that saving 20 cents on a fast food burger is worth giving out your email, name, address, and phone number, but, hey, I'm currently employed.

Re:

[thePowerOfGrayskull]

It's step #2 that's the issue. People can be coerced into providing all sorts of information if you promise to send them coupons.

I think that word does not mean what you think it means.

Re:

[vegiVamp]

If you're unemployed, however, is there no cheaper way of feeding yourself than fastfood. Like, say, shopping carefully and cooking yourself ?

Re:

[drinkypoo]

If you cook yourself, at least you won't be hungry any more...

Re:

[mcgrew]

If you're unemployed, however, is there no cheaper way of feeding yourself than fast food?

"Fast food" is a typo. It's not fast; I can sit down in a real restaraunt like Top Cat's, order, and have meal in front of me faster than I can wait in line at McDonald's and get my "food".

It's fats food!

Re:Wait...

[jimbolauski]

Why would any sane person possibly give McDonald's all their personal information in the first place?

The same type of people who frequent McDonalds regularly, would think it's a good idea to get the McRib is coming updates. Also if you win a prize from their monopoly game you might have to give them your info?

Re:Wait...

[6031769]

Also if you win a prize from their monopoly game ...

I think they prefer the term "franchise".

Re:

[micksam7]

This is primarily information used by McDonald's giveaways, such as the Monopoly promotion [wikipedia.org] when entered online.

Only names, numbers, emails, and addresses were taken.

Re:

[Opportunist]

Try something:

Sit down in front of a McD and offer anyone who hands you their name, address, phone number and email a free hamburger.

Bet you go home with more than 100 addresses after, say, 3 hours.

Re:

[Dthief]

I bet 99 of those are "fake" [i.e. not where the person lives] addresses, and the 1 address that isn't fake has nothing to steal

Re:

[guyminuslife]

Not if you stood outside a McDonald's and bought them the hamburger personally. Most people would feel like they owed you, even if it was only a hamburger, and feel bad if they were dishonest about it. Like, all you wanted to do was buy them a hamburger, it's the least they can do!

Put it on a sign-up sheet, you know? Makes it look less seedy.

Of course I'm one to talk...I would lie. (And I have, in exactly that situation, except with better sandwiches.) Maybe not about my name. But everything else, yeah.

Re:

[vegiVamp]

I think you'd be very surprised. Also, I suspect it'd be worth a try to ask for their password, too, in exchange for two burgers maybe.

Too lazy to google, but I seem to recall something in the last months about a similar thing, where people were offered a bar of chocolate or something in exchange for their password.

Don't think they verified the accuracy of the passwords, though; but if you said that you can offer them a free burger in exchange for their mcdonals.com user and password - to verify that they'r

Re:

[ColdGrits]

Too lazy to google, but I seem to recall something in the last months about a similar thing, where people were offered a bar of chocolate or something in exchange for their password.

First, it was over 2 years ago.
Second it was apparently 20% of people gave their passwords in exchange for chocolate.
http://www.darknet.org.uk/2008/04/chocolate-owns-your-passwords/ [darknet.org.uk]

However, the key thing is - the survey had absolutely zero way of confirming whether the passwords were genuine or not.

You know what? Some random in the street offers me a bar of chocolate in exchange for my password, I'll gladly trade; I end up with a free bar of chocolate, they end up with a garbage string of characters wh

Re:

[vegiVamp]

> it was apparently 20%

I don't know about you, but I find that worrisome.

> However, the key thing is [...]

Yes, that's what I hinted at; however, while there are certainly those, I'm afraid I have quite a bit less faith in the security-related intelligence of Joe Average User. I can't tell you how many times I found passwords on post-its, in support tickets without even asking, et cetera.

No, of those 20%, I honestly wouldn't be surprised if there's three-quarters genuine, especially with the "to verfiy

Re:

[ColdGrits]

> it was apparently 20%

I don't know about you, but I find that worrisome.

Not worriesome, because there is zero data to confirm whether those passwords were anything like valid or not, thus no conclusions can be drawn whatsoever other than 20% of people figured out how to get a free bar of chocolate.
Nothing more, nothing less.

Re:Slaughter

[TaoPhoenix]

(Rhetoric)
I am not a stupid cow waiting for slaughter! I am unique! I celebrate my identity that lets me stand out from the crowds! I am an Archeopteryx! However, unique still doesn't beget intelligence, so they'll still get me, just with different tricks.
(/Rhetoric)

Re:

[PRMan]

Say, "You could win a car" at a mall and you'll get thousands per hour.

Re:

[Opportunist]

That's illegal here if there's not really a car to win, so... I'd rather not.

Re:

[Opportunist]

If those include valid mail addresses that are actually read, I'll even call the ambulance for you when you attempt to eat those greaseballs!

Re:

[crashandburn66]

McDonald's takes job applications online via their web site. Last time I checked, job applications ask for your personal information.

Re:

[gustgr]

It also takes on-line take-out orders in several places of the world, which also requires personal information -- at least a name and an address, but I suppose they ask for more info than that on the order form.

Re:

[magarity]

It also takes on-line take-out orders in several places of the world, which also requires personal information -- at least a name and an address, but I suppose they ask for more info than that on the order form.

There are places where McDonald's provides *delivery* which definitely requires a name and an address.

Re:

[vegiVamp]

Why would online take-out require an address ? Name, ok, easy identification of the order - assume people won't remember your uid - but if you pre-pay the order, they have no need whatsoever for your address or any other details.

Re:

[istartedi]

I suspect it was some promo, like those receipts that say "answer our survey and get a chance for a free burger". I've always said you'd win a lifetime supply of spam. This just proves it.

Because we know too little to not ask about more.

[jbn-o]

Because many people are poor and lack the opportunities to get a better job than one can get working for McDonald's. Consider that we don't know the full extent of what McDonald's kept in the compromised systems. We only know from the article that McDonald's was willing to admit the data included "customers' e-mail addresses, names, addresses, phone numbers, birth dates, genders, as well as certain information about their promotional preferences and Web information interests". We don't know how the McDon

Re:

[PopeRatzo]

Why would any sane person possibly give McDonald's all their personal information in the first place?

Why would any sane person possibly eat in McDonald's in the first place?

And of course, even if you were so moved to have a McRib value meal, you are correct: Why would you even consider giving them your email address, name, etc?

Contests

[brunes69]

You had to enter this info to play the Monopoly online contest.

Which is actually reasonable since they need some way to contact you and verify your identity in the case of you winning a major prize.

Re:

[Conspire]

Why would any sane person possibly give McDonald's all their personal information in the first place?

I'm going to take the question up to the next level and ask "Why would any sane person eat at McDonalds"

Re:

[petermgreen]

While I don't go to mcdonalds much anymore due to trying to lose weight I found that they offered food that I liked and equally importantly they did so consistently. If i'm away from home and hungry I can go into a mcdonalds buy a box of mcnuggets and a milkshake (I don't like chips) and be pretty sure it would be as nice as the ones bought in the mcdonalds locally. It's not fancy but the batter doesn't have any weird tastes and the chicken inside is fine too.

I'm sure the same applies to other chain outlets

Re:

[Conspire]

Suggest you watch Super Size Me http://www.imdb.com/title/tt0390521/ [imdb.com] People pick on McDonalds because they are perhaps the number one brand in the industry globally, they use marketing tactics to entice children to the brand and the junk food they serve, and they have been a leader in the "race to the bottom" in the fast food industry. I think there are probably other reasons but those are a few!

Re:

[Krneki]

Why would any sane person possibly use McDonald's in the first place?

Fixed that for you.

Re:

[MightyMartian]

why would ANYone give ANYone ANY personal information online? ANYwhere at ANYtime. i'm confused.

Yes you are.

Re:

[ArcherB]

why would ANYone give ANYone
ANY personal information online?
ANYwhere at ANYtime.
i'm confused.

says the NON-anonymous coward.

Suspect identified

[fridaynightsmoke]

Police say they're looking for a short chubby-faced man with ginger hair, wearing a black-and-white striped outfit, a black eye mask, red gloves, a black cape with yellow lining and a red tie with hamburger detail. The man is linked to previous thefts of foodstuffs (primarily hamburgers) from McDonalds.

Re:

[countSudoku()]

Is that you, Hamburgler? Trying to frame Ronald again? For shame. No burgers for you, sir!

If this had been a loss of important data, heads would roll. In this case, the status of my McDonald's Monopoly Game tokens may have leaked to the public eye and Mark Zukerburg strikes again. Why do we even need passwords anymore? All data is now public... 8^)

Re:

[pixelpusher220]

You sir win a prize!

but first we need your name, number, address....

The BIG question ...

[neonprimetime]

... why would you give your personal information to McDonalds?

Re:Suspect identified

[bughunter]

Overheard at the scene:

"Robble, robble!"

My McRib Addiction

[BigSes]

Known to the world...oh the shame! /kill self

Hamburgler strikes again!

[AbRASiON]

Robble Robble Robble!

!admin

[Anonymous Coward]

They were probably using HP MSA2000 Arrays..

Re:

[crow_t_robot]

...protected by OpenBSD-based firewalls.

I can has

[santax]

Big Database?

Re:

[Opportunist]

Want some fries with that?

Or in this case rather, want some spam with it?

This reminds me....

[f3rret]

A while back while WiFi was still new and shiny; and before people had figured the whole "put a password on it"-thing, a friend and I were out wardriving, we came across an open network that turned out to belong to a local Micky D's. Connected to the network and saw a single computer running on it, a little poking at it revealed it to be running some flavor of windows XP and some more poking revealed it to have a blank admin password.
So when we connected to the standard "C" (or whatever the standard network share is called, I forget) network share and found a huge excel document in the root of said drive, downloaded it and found it to contain all the information - addresses, phone numbers, SSNs and e-mail addresses - of the employees of said Micky D's.

Cool story, huh?

Re:

[MightyMartian]

It would be cool if you ended the story with "And then my friend and I were struck by out an out of control semi doing about 90mph, and now I'm typing from my wheelchair using a straw to the rhythm of my ventilator."

Re:

[X0563511]

Bullshit. You can't (and never could) access those hidden shares with a blank password.

Re:

[koro666]

I believe you could before XP Service Pack 2 (which kinda reinforced security).

Re:

[TheThiefMaster]

The standard share was called C$, was only accessible with a password and was hidden. If it showed in browse network, it wasn't the standard share.

Re:

[sjames]

Everything's legal as long as you don't get caught!

It's the modern corporate mantra!

McDonalds doesn't cater to Vegetarians

[ackthpt]

Now if they hack Burger King or the Pho King then I'm hosed.

Big Deal?

[SilverHatHacker]

Sure, in principle its a bad thing, but I'd be willing to bet that 95% of those people had that exact same information on their Facebook, effectively available to the world anyway.

Re:Big Deal?

[Smallpond]

Yea, what I was thinking exactly. This could be one of the most useless & non-damaging data breaches I've ever heard of. Some phone numbers, addresses and names.. What's exactly is a hacker going to do with this information?

Sell it to Jenny Craig?

The Draft

[drumcat]

Remember, 40 years ago it was a scandal that the free happy meal postcard you filled out was how you were tracked for the draft. My dad taught me this lesson early on, and it's nothing but magnified. BTW, Thank You EFF for winning today!

Re:The Draft

[geekoid]

The Happy meal is only 30 years old. 1979. The draft ended in 1973.

So either you are trying to be funny, or your dad is an idiot.

Draft registration did not end in 1973 ...

[perpenso]

The draft may have ended in 1973 but draft registration did not. Registration may still be the law, I think I noticed the registration cards in the post office recently.

That said, the GP's story is silly. The gov't already has your SSN, school records, etc.

Re:

[jmac_the_man]

It is the law still. And apparently, if you're not registered, you might want to post as AC. [about.com]

Re:

[CodeBuster]

The draft ended in 1973.

Although technically it didn't really end, they just haven't activated it since 1973. In fact, every male reaching 18 years of age in the United States is still required to register for the Selective Service System [wikipedia.org] under penalty of fines, imprisonment and, if the failure to register continues past age 26, being unable to apply for a federal job or receive benefits. Of course, the government stopped enforcing this law by the mid 1980s because is basically requires a public admission of one's own guilt to act

Re:

[An anonymous Frank]

What if his dad was trying to be funny?

Re:

[sjames]

The actual draft ended, but registration with the Selective Service is still mandatory.

Selective service is what we now call the Draft Board now that the draft is unpopular.

Re:

[geekoid]

so not 40; which was my point. Yeah, so I threw down a quick number.

It would be like me bitching about your punctuation and grammar. Besides the point.

So in short, fuck you.

Re:

[BluBrick]

Did I just catch you arguing with someone who knows the inauguration year of the Happy Meal?

Re:

[gmhowell]

Happy meals 40 years ago?

You got trolled by your dad. Awesome.

Re:

[Anonymous Coward]

This [snopes.com] is the story you're all looking for.

Re:

[BBTaeKwonDo]

1984, not 40 years ago, and it was Farrell's, not McDonalds http://www.snopes.com/military/icecream.asp [snopes.com]

Explaining proverbs 101

[Opportunist]

Today: "Adding insult to injury".

Correction to that tweet...

[Arrogant-Bastard]

...it should read "Silverpop spammers". They have a LONG history which is well known to everyone working in the field, and be readily accessed by anyone who can use a search engine (or check the Internet Archive).

Note carefully: This doesn't mean that every message they've sent is spam -- most competent spammers these days mix spam and non-spam because it's a highly effective tactic. This also doesn't mean that every customer of theirs hired them to spam -- again, most competent spammers have a mix of cu

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[dakameleon]

sandwitch

Now there's a witch that really will melt with water!

Marketing company, Not McDonalds

[Meest]

This should read. "Marketing Company McDonalds contracted was hacked" I don't see anywhere that it says an actual McDonalds server/store system got hacked...

mcdonaldsmom.com?

[lavagolemking]

That a mcdonaldsmom.com exists worries me greatly.

one bit of good news

[sootman]

I was mildly disgusted to see that the domain http://mcdonaldsmom.com/ [mcdonaldsmom.com] actually exists. Happily, it redirects to http://www1.mcdonalds.com/momstrust/ [mcdonalds.com] which gives a 404. As it should be.

Who in their half sane mind

[SpaghettiPattern]

Who in their half sane mind would even need to hand over personal information?

I mean, you pay for a hamburger with cash and last time I checked there wasn't a web store for you to need to punch in your and your family's intimate details.

prime suspect: Weight Watchers

[kubitus]

go and have them searched! I would not be surprised if they have all the data!

Re:

[0100010001010011]

People that think they'll get coupons, 5% off, free shit.
The same reason people give away their info to business.

Re:

[orphiuchus]

Hey, that 5% really adds up over a month. *struggles to roll onto his side, runs out of breath, gives up*

Re:

[Quirkz]

Anybody who wants a second chance at the Monopoly game. Most people will give away more than that for a shot at a million bucks.

Re:

[imsabbel]

I like McDonalds.
I have to admit this are european McDonalds (the ones in the US I have been at looked more like a miniature Ghetto), but once a month or so it does not hurt.

On the other hand, I am 1.85m and 90Kg, so it seems you not liking McDonalds doesnt work out for you, fatty.

Re:

[Stregano]

On the other hand, I am 1.85m and 90Kg, so it seems you not liking McDonalds doesnt work out for you, fatty.

You can't say that word! Only we can say that word!

Re:

[geekoid]

Why do you assume they are fat? why do you assume they are stupid? just becasue you can't control your calories, doesn't mean nobody can.

Re:

[Stregano]

I guess it is -1 time:
1st off, how many people do you know that go to McDonald's on a regular basis? How many of those people go so much to where they are willing to give McDonald's their information for coupons? Go ahead, tell me if those ones are overweight.

Just a single Hamburger (not cheeseburger, but hamburger) is 250 calories. Can you tell me a single person that will count calories at McDonald's? Ok, there may be a couple that do that.

Next, as for me controlling my own calories, I am doing

Re:

[Hatta]

There food is horrible

Did you misspell "their" or just drop a comma? Either way it makes sense!

it tastes like a charred hamster

Where do you get charred hamster? I can't even get cuy [slashfood.com] around here.

Re:

[macshit]

it tastes like a charred hamster

Where do you get charred hamster?

By incorrectly calculating the cooking time, when making roast hamster.

Re:

[Fnord666]

but it tastes like a charred hamster ...

and you know this how? On second thought, never mind. I don't want to know.

Re:

[Cimexus]

McDonalds in Europe, Australia, Japan etc. are a lot nicer than the US ones. They sell wraps and decent salads and reasonably good cafe-type food. The actual restaurants themselves are generally much cleaner and have nicer decor than the American ones. So I don't mind the odd visit there. Even if I buy a big fatty burger, a couple of times a year isn't exactly going to hurt.

Re:

[account_deleted]

Comment removed based on user account deletion