Developer of Magic: The Gathering confirmed that the security breach exposed the data to hundreds of thousands of gamers.
The developer of the game, Washington's "Wizards of the Coast", left a backup file in a public bucket to store Amazon Web services. The database file contains account information for the online game arena. But there was no password for the storage bin, allowing anyone to access the files inside.
The bucket is not believed to have been exposed for long – from around early September – but it was long enough for US computer security firm Hidus Information Security to find the database.
A review of the database file showed that there were 452,634 player information, including about 470 email addresses associated with the Wizards staff. The database includes player and username names, email addresses and account creation date and time. The database also had passwords for users, which were deleted and salted, which made it difficult but not impossible to understand.
None of the data is encrypted. Bills date back at least 2012, according to our data review, but some of the latest bills date back to mid-2018.
Formatted version of the database backup file, reduced, containing 452,000 user records. (Image: TechCrunch)
Hidus reached the Wizards of the Shore, but did not return. It wasn't until TechCrunch found out that the game developer had pulled the storage bin offline.
Bruce Dugan, a game developer spokesman, told TechCrunch in a statement: "We learned that the database file from the advertising website was inadvertently made available outside the company."
"We removed the database file from our server and launched an investigation to determine the extent of the incident," he said. "We believe this was an isolated incident and we have no reason to believe that the data was misused," but the spokesman did not provide evidence.
"However, with great caution, we are notifying players whose information was contained in the database and asking them to reset their passwords to our current system," he said.
Harriet Leicester, director of research and development at Fidus, said it was "surprising in this day and age that misconfigurations and lack of basic safety hygiene still exist on this scale, especially when it comes to such large user-centric companies. 450,000 accounts. "
"Our research team works constantly, looking for the wrong configurations like this, to warn companies as soon as possible to avoid data being in the wrong hands. It's our small way to help make the Internet a safer place, "she told TechCrunch.
The game maker said it had notified the US authorities of the exposure data protection, in accordance with the rules for reporting infringements under European GDPR regulations. The US Information Commissioner's office did not immediately return an email to confirm the disclosure.
Companies can be fined up to 4% of their annual GDPR turnover.
Stop saying, "We take your privacy and security seriously"