The manufacturer of Magic: The Gathering has confirmed that a security breach revealed the data of hundreds of thousands of players.
The developer of the game, the Washington-based Wizards of the Coast, has left a database backup file in a public Amazon Web Services storage bucket. The database file contained user account information for the online arena of the game. However, the memory bucket did not have a password to access the files it contained.
The bucket is not expected to have been on hold for a long time since the beginning of September, but for the British cyber security firm Fidus Information, it was long enough to find the database.
A review of the database file revealed that there were 452,634 pieces of player information, including about 470 e-mail addresses associated with Wizard staff. The database contained player names and usernames, email addresses, and account creation date and time. The database also had user passwords that were hashed and salted, which makes decrypting difficult, but not impossible.
None of the data has been encrypted. The accounts are at least 201
Fidus reached for Wizards of the Coast but did not stop. Only after TechCrunch spread its hand did the game maker take the storage bin offline.
Bruce Dugan, a game developer spokesman, told TechCrunch, "We've learned that a database file from a disused website was inadvertently made available outside the company. "
" We removed the database file from our server and started an investigation to determine the extent of the incident, "he said. "We believe this was an isolated incident and we have no reason to believe that the data was used with malicious intent." The spokesman, however, did not provide any evidence for this allegation.
Be careful, we notify players whose information was in the database and ask them to reset their passwords on our current system. "
Harriet Lester, Fidus & # 39; director of research and development, said this was" a surprise "day and time, in which misconfigurations and a lack of basic safety hygiene still exist on this scale, especially when referring to such large corporations with a user base of over 450,000 accounts. "
" Our research team is constantly working on misconfigurations like these. Notify businesses as quickly as possible so that data does not fall into the wrong hands. "This is our little help to the Internet TechCrunch said
The game maker informed the DPAs of the threat in line with the rules for reporting violations under the GDPR rules in Europe The UK Information Commissioner has no email to return the disclosure.
Companies can be fined up to 4% of their annual turnover for violations of the GDPR.