A massive data breach has hit developer and publisher Wizards of the Coast (WotC) and players of its flagship game, “Magic: The Gathering.”
UK's Fidus Information Security has discovered that the US-based company had left a cloud storage bucket on Amazon containing data belonging to as many as 452,634 gamers exposed without a password. In addition, 470 email addresses “associated” with WotC's staff have also been exposed.
According to TechCrunch the database was available to anybody on the web “not for long” – i.e., since early September. The compromised, unencrypted personal information included players' names, their usernames, emails, and also passwords – but at least these were protected using the hashing and salting method.
This is a way to ensure password authenticity that is particularly useful in fending off brute force attacks. However, as the article notes, it's not perfect, and now WotC are asking Magic the Gathering and MTG Arena gamers to change their passwords.
The company sent players emails explaining that the breach was accidental, originating from “a decommissioned version of the WotC login” that was made accessible on the internet. WotC also doesn't think that the database has been exploited by malicious actors. Furthermore, payment and financial information has not been exposed thanks to the hashed and salted passwords, reports have said.
But TechCrunch claims that WotC was slow to react to the discovery of the security breach. Fidus, the British security firm, is said to have informed the developer of the incident – but initially without prompting any reaction. “It was only after TechCrunch reached out that the game maker pulled the storage bucket offline,” the report said. WotC downplayed the breach but confirmed that passwords would be either changed by users or reset, and there would be an investigation.
Fidus, on the other hand, expressed surprise at the security practices of WotC, described as “misconfigurations and lack of basic security hygiene” affecting a massive database and a large company.
Then there's the issue of the GDPR – EU's data protection legislation. The maximum penalty under these rules is 4 percent of annual global turnover or 20 million euro. WotC said it informed UK's Information Commissioner’s Office about the incident, but this is yet to be confirmed by the regulator.