Wizards of the Coast, the company behind the popular trading card game Magic: The Gathering, revealed that it has suffered a database breach that exposed the data of hundreds of thousands of MTG Arena and Magic Online players.
According to an email sent to affected users, the security breach happened on November 14 after an internal database was inadvertently exposed. A database backup file was left in a public Amazon Web Services storage bucket, but it was not protected by a password.
“We believe this was an isolated incident related to a legacy database and is unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data,” Wizards of the Coast said in the email.
The database file contained the first and last name, email address, and passwords of 452,634 players of MTG Arena and Magic Online, plus 470 email addresses linked to Wizards of the Coast employees. The passwords, however, were cryptographically secured, which makes them very hard, but not impossible, to decipher. No payment or financial information was included in the database that suffered the security breach.
In TechCrunch’s review of the exposed data, the user accounts dated back to at least 2012, while some of the more recent ones are from mid-2018. The storage bucket was only taken offline when TechCrunch reached out to Wizards of the Coast, despite U.K. cybersecurity firm Fidus Information Security’s earlier attempt to contact the company.
Fidus’ director of research and development, Harriet Lester, told TechCrunch that it was “surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.”
As a precaution, affected MTG Arena and Magic Online players are recommended to change their passwords over the next seven days. Afterward, Wizards of the Coast will manually reset the passwords. For MTG Arena players, resetting the password may be done through the official Wizards of the Coast website, while Magic Online players may initiate the process through the game’s client.