Gamers Exposed After Wizards of the Coast Data Leak

A US gaming company has admitted accidentally leaking the personal data of countless customers via a cloud storage bucket.

Hasbro-owned Wizards of the Coast specializes in fantasy and science fiction games such as card trading title Magic: The Gathering.

However, it was forced late last week to email an unspecified number of Magic Online and MTG Arena users informing them of the privacy snafu. It’s unclear how many were affected but MTG Arena alone is said to have three million users and makes its owners hundreds of millions in revenue each year.

“Dear Wizards community, we are writing to let you know of a recent security incident at Wizards of the Coast. On Nov. 14, we learned that an internal database file from a decommissioned version of the WotC login had inadvertently been made accessible outside the company,” the email reportedly said.

“We believe this was an isolated incident related to a legacy database and is unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data.”

Reports suggest that the problem stemmed from a back-up file left in an Amazon Web Services (AWS) storage bucket without password protection.

First and last names, email addresses and salted and hashed passwords were apparently exposed in the incident, which is being treated as non-malicious. Despite the application of best practice encryption on log-ins, all MTG Arena and Magic Online users are being asked to reset their passwords.

Misconfiguration of cloud services like AWS S3 are to blame for an increasing number of data leaks. Although many are found and locked down quickly, like this one, it’s not always the case. The longer exposed infrastructure is left unprotected and online, the more chance hackers have of finding and stealing/holding to ransom linked data.

Just last month, personal data belonging to 250,000 US and UK jobs seekers was leaked after two online recruitment companies failed to make their AWS buckets private.

What’s Hot on Infosecurity Magazine?