Hacking cases compromise consumer data

Walgreen, McDonald's and Twitter reported unrelated security breaches Monday.

Walgreen said hackers who gained access to a list of customer email addresses may have sent spam directing customers to enter personal data into outside websites.

McDonald's said private information that customers supplied when signing up for online promotions or subscriptions was exposed when a subcontractor improperly handled the data.

And Twitter said hackers broke into an unspecified number of its users' accounts and sent spam promoting acai berry drinks.

Twitter said the hackers used passwords harvested in an earlier breach at Gawker Media, which runs Gawker, Gizmodo and other technology and media sites. Gawker warned subscribers Sunday that its database had been hacked and urged them to change their passwords. Twitter reset passwords it suspects were compromised.

Twitter said only a small share of its 175 million users were affected, though it didn't know how many.

The breach highlighted the danger in using a single password for multiple online accounts.

Attacks via networking sites like Twitter and Facebook are popular because they can make spam look as though it was sent by friends, but the effect is similar when spam or data-seeking email seems to come from a trusted merchant.

Walgreen would not say how many customers were affected but told customers that no personal information beyond email addresses was exposed.

"Your prescription information, account and any other personally identifiable information were not at risk because such data is not contained in the email system, and no access was gained to Walgreen's consumer data systems," Walgreen told customers.

Both McDonald's and Walgreen reminded customers they do not seek personal or financial information by email and cautioned against ever responding to such requests.

McDonald's said Monday that some customers' email and other contact information, birthdates and other specifics were exposed but would not say how many people were affected, where, when or for how long. It said its database that was compromised did not include any financial information or SocialInsurance numbers.

McDonald's, which is based in Oak Brook, Illinois, said it is working with law enforcement.

The fast-food chain said its business partner Arc Worldwide hired an email database management firm whose computer systems were improperly accessed. McDonald's said it is working with both firms to understand how security was bypassed.

Arc did not immediately respond to a call for comment.

The company asks anyone who is contacted by someone claiming to be from McDonald's and seeking personal or financial information to contact the company immediately so it can alert authorities.