Personal information of nearly 2.2 million people may have been leaked by the McDonald's India app, according to a blog post by Cybersecurity firm Falliable.
These personal details include "name, email address, phone number, home address, accurate home co-ordinates and social profile links."
The issue was noticed almost a month ago by Falliable, who contacted McDelivery about the same on February 7. After receiving an acknowledgement from the senior IT manager on February 13, the blog post says that the issue has still not been fixed.
McDonald's has responded meanwhile saying that it does not store users' sensitive financial data on its app. It has also told users to update the app on their smartphones.
The statement also said that the app doesn't store information like credit card details or e-wallet passwords.
"The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices," it added.
It appears however, that the issue has still not been resolved. Falliable's blog post says that their "continued effort to get an update for the fix after the initial acknowledgement has failed."
There continues to exist an issue with the app whereby "an unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users’ personal information."
Kunal Dua was able to independently verify the issue pointed out by Falliable for Gadgets360 on Sunday. He was able to access customers' personal data with the information provided by the cyber security firm.
The leak seemed to have been fixed later. But Falliable said that the fix was not complete and the "endpoint was still leaking data".
It is not clear however if all users of the app are equally vulnerable. Gadgets360 pointed out that McDonald's operations in India are bifurcated into McDonald's India (West and South) and McDonald's India (North and East). It's the former which owns and operated the the McDelivery app and website in question.
Meanwhile users in north and east India have another app and website, meaning that their data may not be affected by this security breach.
A few days ago McDonald's suffered another security breach where its twitter account was compromised and a tweet dissing American President Donald Trump and touting Barack Obama was posted.