A massive data breach has hit developer and publisher Wizards of the Coast (WotC) and players of its flagship game, “Magic: The Gathering.”
UK’s Fidus Information Security has discovered that the US-based company had left a cloud storage bucket on Amazon containing data belonging to as many as 452,634 gamers exposed without a password. In addition, 470 email addresses “associated” with WotC’s staff have also been exposed.
According to TechCrunch the database was available to anybody on the web “not for long” – i.e., since early September. The compromised, unencrypted personal information included players’ names, their usernames, emails, and also passwords – but at least these were protected using the hashing and salting method.
This is a way to ensure password authenticity that is particularly useful in fending off brute force attacks. However, as the article notes, it’s not perfect, and now WotC are asking Magic the Gathering and MTG Arena gamers to change their passwords.
The company sent players emails explaining that the breach was accidental, originating from “a decommissioned version of the WotC login” that was made accessible on the internet. WotC also doesn’t think that the database has been exploited by malicious actors. Furthermore, payment and financial information has not been exposed thanks to the hashed and salted passwords, reports have said.
But TechCrunch claims that WotC was slow to react to the discovery of the security breach. Fidus, the British security firm, is said to have informed the developer of the incident – but initially without prompting any reaction. “It was only after TechCrunch reached out that the game maker pulled the storage bucket offline,” the report said. WotC downplayed the breach but confirmed that passwords would be either changed by users or reset, and there would be an investigation.
Fidus, on the other hand, expressed surprise at the security practices of WotC, described as “misconfigurations and lack of basic security hygiene” affecting a massive database and a large company.
Then there’s the issue of the GDPR – EU’s data protection laws. The maximum penalty under these rules is 4 percent of annual global turnover or 20 million euro. WotC said it informed UK’s Information Commissioner’s Office about the incident, but this is yet to be confirmed by the regulator.
The post Magic: The Gathering owner exposes thousands of player details online appeared first on Reclaim The Net.
Visit the USSA News store!
Click this link for the original source of this article.
Author: Didi Rankovic
This content is courtesy of, and owned and copyrighted by, https://reclaimthenet.org and its author. This content is made available by use of the public RSS feed offered by the host site and is used for educational purposes only. If you are the author or represent the host site and would like this content removed now and in the future, please contact the USSANews.com administrator by using the contact form located in the top-left menu. Your request will be immediately honored. Please visit https://reclaimthenet.org for more terrific, conservative content. The owner of this website may be paid to recommend American Bullion. The content of this website, including the positive review of American Bullion, the negative review of its competitors, and any other information may not be independent or neutral.