The developer of Magic: The Gathering, Wizards of the Coast, acknowledged a data breach that affected thousands of its players. The developer revealed that the breach stemmed from an unprotected database file stored within the Amazon Web Services system. The file was left unencrypted, making the files vulnerable to potential hackers.
Fidus Information Security, who hails from the United Kingdom, reportedly found about the vulnerability, states Tech Crunch. The database had been left exposed since early September, enough for the cybersecurity firm to determine the leak’s repercussions.
While Fidus reached out to report the incident, Wizards of the West Coast only acted upon the issue after Tech Crunch got in touch with them. According to Tech Nadu, the game developer worked with Fidus Information Security to secure the database.
A Closer Look
In total, there was 452,634 player information made available online. These include 470 email addresses belonging to the Wizards of the Coast employees. Account creation dates back to 2012, while some of the most recent entries mined include those created in mid-2018.
Some of the compromised data include the players’ names, usernames, email addresses, and details of the account’s creations. The unencrypted database file also contained passwords. Despite being encrypted with hashing and salting techniques, Tech Crunch states the passwords may still be unscrambled.
Following the revelation, a Wizards of the Coast representative Bruce Dugan issued a statement. Dugan said, “We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company.”
The developer’s representative also revealed that their firm already launched an internal investigation to “determine the scope of the incident.” The company spokesperson said the company does not believe data had been mined or obtained. However, no data was provided to support this claim, notes Tech Crunch.
Although the company is currently investigating the incident, the game maker has already started notifying affected parties. Representatives of the company urge affected players to change their credentials immediately.
The magnitude of the breach makes the case qualified for further investigation and penalty.
In line with this, Wizards of the West Coast reportedly informed data protection authorities in the U.K., notes Tech Nadu. Immediate notification falls in line with the GDPR rules set by Europe.
As of writing, the Information Commissioner’s Office in the United Kingdom had acknowledged notification of the incident.
The developer’s fine could possibly amount to 4% of the company’s revenue.