The creator of Magic: The Gathering confirmed that a security failure revealed data for hundreds of thousands of players.
Game developers based in Washington Wizards of the Coast, left file to back up a database in a public bucket for Amazon Web Services storage. The database file contains user account information for the online arena of the game. But there was no password in the storage bin, allowing anyone to access the files inside.
The bucket is not believed to have been exposed long ago – since early September – but it was long enough for the UK-based cybersecurity firm Fidus Information Security to find the database.
A review of the database file showed that there were 452 634 player information, including about 470 emails related to Wizards staff. The database includes player names and usernames, email addresses, and the date and time of account creation. The database also had user passwords that were hashed and salted, making it difficult but not impossible to decrypt.
None of the data is encrypted. According to our review of the data, the accounts date back to at least 201
Fidus reached out to Wizards of the Coast but couldn't hear. It wasn't until TechCrunch reached the game maker that it pulled the storage bin offline.
Bruce Dugan, spokesman for the game developer, said in a statement to TechCrunch: "We learned that a database file from a decommissioned website was inadvertently
" We removed the database file from our server and launched an investigation to determine the scope of the incident, "he said. "We believe this was an isolated incident and we have no reason to believe that malicious use of the data was used," but the spokesman did not provide any evidence of this claim.
"However, in abundance of Attention, we notify players whose information is contained in the database and require them to reset their passwords in our current system," he said.
Harriet Lester, Division Director Fidus Research and Development said it was "surprising in this" day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when talking about such large companies with a consumer base of over 450,000 accounts. "
" Our research team works and constantly looking for the wrong configurations like the one to alert businesses as quickly as possible to avoid getting data in the wrong hands. This is our small way of helping to make the Internet a safer place, "she told TechCrunch.
The game maker stated that it had informed the US data protection authorities of the exposure, in accordance with the rules for notification of infringements in European GDPR regulations. The Office of the Commissioner for Information of the United Kingdom did not immediately return an email confirming the disclosure.
Companies can be fined up to 4% of their annual turnover for GDPR violations.