During October 2016, Papa Johns held a competition to promote their Papa Rewards system, whereby users could enter an e-mail and potentially win Papa Reward points, or receive a £10 discount.
Besides the £10 discount, the actual rewards were:
- 8 points for a free small side
- 12 points for a free large side
- 25 points for a free large pizza
…with no prior orders on an account needed, no need for other items on your order and free delivery. Rewarded at…random?.
Sounds like free dinner for a month! :)
Initially you could enter a random e-mail without any sort of confirmation and eventually players would win. This was soon rectified, after about a week, by requiring users to confirm their e-mail when entering excessive entries from an IP address. And using the same Gmail e-mail with a filter added, by appending a suffix to the username e.g.
firstname.lastname@example.org turned into
limpygnome+whatever.com, was also banned, along with many temporary e-mail providers.
But not all temporary e-mail providers. And the process, including the e-mail confirmation page, did not present any form of human verification, such as a captcha, or limit the volume of requests/entries.
And as a result, a bot could mine large pizzas instead:
Source code: https://github.com/limpygnome/papa-rewards-bot
Nom nom nom…