Wizards of the Coast, the developer of Magic: The Gathering, exposed user data of 452,634 players because of a security lapse. The Washington-based game maker left a file in a public Amazon Web Services storage bucket without a password or encryption, giving anyone access to the information.
The data included 470 staff email addresses, players' names and usernames, email addresses, the date and time the accounts were made, and hashed and salted user passwords. The account data ranged from 2012 to 2018.
The developer claims this was "an isolated incident," and they believe the data wasn't used for malicious activity. The UK-based Fidus Information Security discovered the exposed database in September and informed the developer. But the files were only taken down once TechCrunch asked them about it.
Harriet Lester, Fidus' director of research and development, said it was "surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts."
Wizards of the Coast said they are notifying players who have their data exposed via email to change their passwords as soon as possible.