INSUBCONTINENT EXCLUSIVE:
The maker of Magic: The Gathering has confirmed that a security lapse exposed the data on hundreds of thousands of game players.
The game
developer, the Washington-based Wizards of the Coast, left a database backup file in a public Amazon Web Services storage bucket
The database file contained user account information for the game online arena
But there was no password on the storage bucket, allowing anyone to access the files inside.
The bucket is not believed to have been exposed
for long — since around early-September — but it was long enough for U.K
cybersecurity firm Fidus Information Security to find the database.
A review of the database file showed there were 452,634 players&
information, including about 470 email addresses associated with Wizards& staff
The database included player names and usernames, email addresses, and the date and time of the account creation
The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble.
None of the data
The accounts date back to at least 2012, according to our review of the data, but some of the more recent entries date back to mid-2018.
A
formatted version of the database backup file, redacted, containing 452,000 user records
(Image: TechCrunch)
Fidus reached out to Wizards of the Coast but did not hear back
It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.
Bruce Dugan, a spokesperson for the game
developer, told TechCrunch in a statement: &We learned that a database file from a decommissioned website had inadvertently been made
accessible outside the company.&
&We removed the database file from our server and commenced an investigation to determine the scope of the
&We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data,& but the
spokesperson did not provide any evidence for this claim.
&However, in an abundance of caution, we are notifying players whose information
was contained in the database and requiring them to reset their passwords on our current system,& he said.
Harriet Lester, Fidus& director
of research and development, said it was &surprising in this day and age that misconfigurations and lack of basic security hygiene still
exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.&
&Our research team work
continuously, looking for misconfigurations such as this to alert companies as soon as possible to avoid the data falling into the wrong
It our small way of helping make the internet a safer place,& she told TechCrunch.
The game maker said it informed the U.K
data protection authorities about the exposure, in line with breach notification rules under Europe GDPR regulations
Information Commissioner Office did not immediately return an email to confirm the disclosure.
Companies can be fined up to 4% of their
annual turnover for GDPR violations.
Stop saying, ‘We take your privacy and security seriously&
