Wizards of the Coast, the company behind the popular trading card game Magic: The Gathering, revealed that it has suffered a database breach that exposed the data of hundreds of thousands of MTG Arena and Magic Online players.
According to an email sent to affected users, the security breach happened on November 14 after an internal database was inadvertently exposed. A database backup file was left in a public Amazon Web Services storage bucket, but it was not protected by a password.
“We believe this was an isolated incident related to a legacy database and is unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data,” Wizards of the Coast said in the email.
The database file contained the first and last name, email address, and passwords of 452,634 players of MTG Arena and Magic Online, plus 470 email addresses linked to Wizards of the Coast employees. The passwords, however, were cryptographically secured, which makes them very hard, but not impossible, to decipher. No payment or financial information was included in the database that suffered the security breach.
In TechCrunch’s review of the exposed data, the user accounts dated back to at least 2012, while some of the more recent ones are from mid-2018. The storage bucket was only taken offline when TechCrunch reached out to Wizards of the Coast, despite U.K. cybersecurity firm Fidus Information Security’s earlier attempt to contact the company.
Fidus’ director of research and development, Harriet Lester, told TechCrunch that it was “surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.”
As a precaution, affected MTG Arena and Magic Online players are recommended to change their passwords over the next seven days. Afterward, Wizards of the Coast will manually reset the passwords. For MTG Arena players, resetting the password may be done through the official Wizards of the Coast website, while Magic Online players may initiate the process through the game’s client.
- Adobe left millions of Creative Cloud user records exposed online
- EXCLUSIVE: Honor Magic Watch 2 is coming, and this is what it will look like
- Magic: The Gathering SDCC 2019 panel reveals addition of Brawl to MTG Arena
- Here’s how to claim $100 or more from Yahoo’s massive data breach settlement
- How visual effects helped the Downton Abbey movie turn back the clock
- The magic of music for dementia sufferers: 'Why I'm campaigning for BBC to bring back Singing Together'
- Magic: The Gathering Arena Is A Nice Stepping Stone For A Casual Like Me
- Eye-popping costumes take Wizard World by storm
- UPDATED: Eye-popping costumes take Wizard World by storm
- Wizards stumbled into the playoffs, but John Wall may be their cure-all against Toronto
- Bucks' Thon Maker, other reserves step into NBA playoff spotlight
- 'Immaturity': So much for the Wizards' great expectations
- Central Florida businessman sues, says 'Tanked' aquarium-maker soaked him
- 'Strengthen legal system to avoid data breach'
- The Wizards’ season of self-inflicted wounds is dealt a final blow