The data was contained on a database managed by Arc Worldwide, part of the restaurant chain’s advertising firm Leo Burnett.
McDonald’s says that the hacked data did not include social security numbers, credit card accounts or sensitive financial information. No UK customers were affected.
A spokesman for McDonald’s says: “The incident has resulted in an investigation by law enforcement authorities. Arc and McDonald’s are cooperating with the appropriate authorities as we work to protect our valued customers.”
He adds: We have attempted to notify all of our active subscribers, who voluntarily provided information in connection with the websites and promotions involved in this incident.
“We are also working with Arc and their database management firm to understand how the security was bypassed.
“We take the security of our customer information very seriously, and we will continue to cooperate with the investigation and with the appropriate authorities.”
Separately, McDonald’s chief executive Jim Skinner has launched an attack on the US “food police” that undermine parents.
In an interview with the Financial Times, Skinner responded to a recent decision by the San Francisco board of supervisors to limit free toy offers to foods that complied with calorie, sodium, sugar and limits by saying the decision “really takes personal choice away from families who are more than capable of making their own decisions.”