Wizards of the Coast, the publisher and developer of Magic: The Gathering, has confirmed that a security lapse exposed the data on hundreds of thousands of players.
According to the official email from Wizards of the Coast, the company left a database backup file in a public Amazon Web Services storage bucket. However, since there was no password on the storage bucket, anyone was able to access the files inside.
Techcrunch reports that the U.K. cybersecurity firm Fidus Information Security was able to find the database even though the bucket is not believed to have been exposed for long — since around early-September.
A review of the database revealed that there were 452,634 players' details, including about 470 email addresses associated with WotC staff. The information exposed inclued player names, usernames, email addresses, and date and time of the account's creation. There were also user passowords, which were hashed and salted, but not impossible to unscramble. Now WotC is asking Magic: The Gathering and MTG Arena players to change their passwords.
According to Tech Crunch's review of the data, none of the data was encrypted and the accounts date back to at least 2012, but recent entries date back to mid-2018.
WotC sent players emails explaining that the security breach was accidental, coming from "a decommissioned version of the WotC login" that was made accessible online. The company also believed that the database hasn't been exploited by malicious actors.
The publisher already informed the U.K. data protection authorities about the exposure, following the breach notification rules under Europe's GDPR regulations, EU's data protection legislation. TechCrunch reports that U.K.'s Information Commissioner's Office confirmed the disclosure.
Businesses can be fined up to 4% of their annual turnover or 20 million Euro for GDPR violations.