Database containing details of nearly half a million gamers exposed in security lapse
Wizards of the Coast -- publisher of, among other titles, Magic: The Gathering -- has confirmed a security incident that exposed information relating to 452,634 players.
The company left a backup database containing gamer information in a public Amazon Web Services storage bucket where it was accessible from early September. Specifically, the database was used to house data relating to the game's online portal, Magic: The Gathering Arena.
- Trend Micro reveals that customer data was illegally sold following inside-job 'security incident'
- Hackers breach security at Web.com, Network Solutions and Register.com, accessing private customer info
- Firefox users are being targeted by malicious sites that exploit a known bug to lock up the browser
The data covered accounts from between 2012 and the middle of 2018, and in addition to players' information, that of some 470 members of Wizards of the Coast staff were exposed. In the case of company employees, only email addresses were exposed, but for 452,634 players, name, usernames, email addresses and other data were included.
As TechCrunch reports, the exposed database was discovered by UK-based security firm Fidus Information Security. Although the company got in touch with Wizards of the Coast about the publicly accessible database, it was not until TechCrunch made contact that it was taken offline.
A spokesperson for the company issued a statement saying:
We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company. We removed the database file from our server and commenced an investigation to determine the scope of the incident.
We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data. However, in an abundance of caution, we are notifying players whose information was contained in the database and requiring them to reset their passwords on our current system.
There is no suggestion that passwords have been exposed, or that any accounts have been accessed by unauthorized persons as a result of the security lapse.