The maker of Magic: The Gathering has confirmed that a security lapse exposed the data on hundreds of thousands of game players.
The game's developer, the Washington-based Wizards of the Coast, left a database backup file in a public Amazon Web Services storage bucket. But there was no password on the storage bucket, allowing anyone to access the files inside.
The bucket is not believed to have been exposed for long — since around early-September — but it was long enough for U.K. cybersecurity firm Fidus Information Security to find the database.
A review of the database file showed there were 452,634 players' information, including about 470 email addresses associated with Wizards' staff. The database included player names and usernames, email addresses, and the date and time of the account's creation. The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble.
None of the data was encrypted. The accounts date back to at least 2012, according to our review of the data, but some of the more recent entries date back to mid-2018.
A formatted version of the database backup file, redacted, containing 452,000 user records. (Image: TechCrunch)
Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.
Bruce Dugan, a spokesperson for the game developer, told TechCrunch in a statement: "We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company."
"We removed the database file from our server and commenced an investigation to determine the scope of the incident," he said. "We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data," but the spokesperson did not provide any evidence for this claim.
"However, in an abundance of caution, we are notifying players whose information was contained in the database and requiring them to reset their passwords on our current system," he said.
Harriet Lester, Fidus' director of research and development, said it was "surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts."
"Our research team work continuously, looking for misconfigurations such as this to alert companies as soon as possible to avoid the data falling into the wrong hands. It’s our small way of helping make the internet a safer place," she told TechCrunch.
The game maker said it informed the U.K. data protection authorities about the exposure, in line with breach notification rules under Europe's GDPR regulations. The U.K.'s Information Commissioner's Office confirmed the disclosure to TechCrunch after we published.
Companies can be fined up to 4% of their annual turnover for GDPR violations.
Updated with ICO remarks.