Wizards of the Coast, the publisher of the popular collectible card game 'Magic: The Gathering', has exposed 452,634 players as a result of a security incident. The Washington-based company has admitted their mistake of leaving a backup database unprotected online, and confirmed that the period of exposure extends from early September until the end of the last week. The discovery was a result of a regular search by cybersecurity firm "Fidus Information Security," who reported the issue to the game publisher and helped them deal with it as quickly as possible.
The Amazon Web Services storage bucket that was exposed contained player names, usernames, email addresses, the date and time of the account creation, as well as hashed and salted user passwords. Besides information about players of the company’s games, there were also about 470 email addresses belonging to Wizards of the Coast staff. The exposed players created their accounts between 2012 and mid-2018, so if you have created an account outside this spectrum, you are safe. None of the data was encrypted, indicating unsafe information handling practices from the company. As for the passwords, the salting makes it harder for hackers to figure them out, but it wouldn’t be technically impossible to do.
A spokesperson from the Wizards of the Coast stated that the company doesn’t believe that the data has been accessed by a malicious person, but their internal investigation is still ongoing. The scope of the incident is currently being determined, and the game publisher is notifying players who have been exposed. These players will now have to reset their passwords as part of a precautionary measure. If you are one of them and you are using the same credentials elsewhere too, you should change them globally so as to stay safe from stuffing attacks.
As for the legal dimension of the incident, the number of people who have been potentially exposed by this incident qualifies the case for an investigation of GDPR violations. The company has informed the U.K. data protection authorities, as they were obliged by the law, so they could be fined with a penalty that reaches up to 4% of their annual turnover. No matter what happens, it is disappointing to see a company of this size not only failing to protect their user data but also exposing wholly unsafe data management practices. Data backups should always be encrypted, and this is generally considered a basic security measure.
Are you one of the exposed 'Magic: The Gathering' players? Can you share the notification details with us? Feel free to do so in the comments section down below, or post it on our socials, on Facebook and Twitter.