Magic: The gathering’s maker, Wizards of the Coast, has confirmed that due to a lapse in security, hundreds of thousands of data on the game players has been exposed. The game’s developer left a database backup file in a public Amazon Web Services storage bucket. There was no encryption or passwords on the bucket, making it easily accessible to anyone. The exposure is not believed to be long term, since early September, but it was exposed long enough for Fidus Information Security, a U.K based cyber security firm, to find the data base.
A review of the database showed 452,634 player’s information including 470 staff accounts. The database contained player’s names, usernames, emails and passwords which were hashed and salted but not impossible to be decrypted. The data was not encrypted on the database. The accounts go back to 2012 but include entries as recent as 2018.
Fidus notified the Wizards of the Coast but did not get a reply. TechCrunch, an online publisher in the Silicon Valley, reached out and the game makers pulled the storage bucket offline after that.
Bruce Dugan, a spokesperson for the game said, “We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company. We removed the database file from our server and commenced an investigation to determine the scope of the incident; we removed the database file from our server and commenced an investigation to determine the scope of the incident.”
The game maker reported that it has informed the U.K data protection authorities in accordance with breach notification rules under Europe’s GDPR regulations. Companies can be fined up to 4 percent of their annual profits for GDPR violations.