Wizards of the Coast, the developer of the game Magic: The Gathering, has confirmed that a security breach has compromised the data of hundreds of thousands of gamers,media outlet TechCrunch reported. The game developer left the database backup file in the public Amazon Web Services bucket. But there is no password on the bucket, and anyone can access the files in it.
It is reported that. The bucket has been leaked since early September. But Fidus Information Security, a British cyber security firm, recently found the database and reported it.
A review of the database files revealed that it included information on 452,634 players, including approximately 470 email addresses associated with Wizards of the Coast employees. The database includes the player’s name and user name, email address, and the date and time the account was created. The database also has user passwords that are hashed, making them difficult but not impossible to decrypt. No data is encrypted. According to a review of the data by techCrunch, the accounts date back at least to 2012, but some recent entries date back to mid-2018.
Fidus contacted Wizards of the Coast but did not hear any response. The game maker didn’t take the bucket offline until TechCrunch acquired it with the company.
“We understand that database files on the discontinued website were inadvertently accessed from outside the company,” Bruce Dugan, a spokesman for the company, told TechCrunch in a statement. “We deleted the database files from the server and started an investigation to determine the scope of the incident, ” he said. We believe this is an isolated incident and we have no reason to believe any malicious use of the data,” the spokesman said, without providing any evidence to support this claim.
“However, as a precaution, we notify players that their information is included in the database and ask them to reset their passwords on our current system,” he said. “
“In this day and age, misconfigurations and lack of basic safety and hygiene measures are still surprising, especially when it comes to large companies with more than 450,000 account users,” said Harriet Lester, Director of Research and Development at Fidus. “Our research team is constantly working to find misconfigurations like this to alert companies as quickly as possible to prevent data from falling into the wrong hands. That’s the little way we can make the Internet safer,” she told TechCrunch.
The game console maker said it had informed the UK’s data protection authorities of the breach in accordance with the rules of the European GDPR regulations. The Office of the Information Commissioner did not immediately respond to a request for comment.
Companies that violate the GDPR could be fined up to 4% of their annual global income.