The Creator of 'Magic: The Gathering' Warns Users to Change Passwords After a Massive Data Breach

Magic: The Gathering Data Leak

According to Wikipedia, as of 2015, Magic: The Gathering (MTG) was played by about 20 million people. Fortunately, not all of them had accounts with a website dedicated to the hit game. A little over 450 thousand of them, however, did, and now, some of their personal data has been leaked online.

Another database left dormant in an AWS storage bucket

The leak was found by Fidus Information Security – the same company that recently discovered a security flaw in the Vatican's new smart rosary. This time around, however, Fidus' experts didn't need to reverse engineer any devices or sift through any API responses.

All they needed to do was look in an Amazon Web Services (AWS) storage bucket that was not protected by a password. Inside it, they found a little over 452 thousand user records that contained names, usernames, email addresses, hashed and salted passwords, and account creation dates.

The database was first uploaded to the unprotected bucket in early September, and it apparently remained online for the next two months. This might not sound like much, but if it was enough for Fidus' researchers to find it, it might have been enough for cybercriminals to locate it as well.

MTG's publisher makes an all-too-common misconfiguration mistake

After a brief investigation, Fidus' researchers realized that the database belonged to Wizards of the Coast, the Washington-based game publisher that released Magic: The Gathering back in 1993. As is often the case, someone forgot to properly configure the offending AWS storage bucket before uploading the backup database file, which, by the way, also contained about 500 records belonging to Wizards of the Coast employees.

A spokesperson for the game publisher told TechCrunch that they have no evidence of any malicious use of the data. The affected users will be notified and will be asked to change their passwords, just in case. In accordance with GDPR, the regulatory organs in the EU have also been made aware of the leak.

The good news

It is unclear where the database came from. The only thing we do know for sure is that the website it belonged to was owned by Wizards of the Coast and that the data is fairly old. TechCrunch's Zack Whittaker reviewed a sample of the leak and reported that many of the accounts date as far back as 2012, although there are some from 2018 as well. Wizards of the Coast told Whittaker that the website has now been "decommissioned".

As we mentioned already, the passwords were hashed and salted, which is also a good thing. The hashing algorithm that was used remains unknown, but Zack Whittaker does say that unscrambling the data would be "difficult". Considering the relatively small number of affected accounts and their age, the hackers are unlikely to put too much effort into trying to reverse the hashes.

The not-so-good news

Having said all that, the leak shouldn't be underestimated. The database contained a fair amount of personal information that wasn't encrypted or protected in any way. What's more, anyone who accesses the names, usernames, and emails in the database will know that the people behind them are interested in MTG, which could be a massive advantage if they are trying to organize a well socially engineered spear phishing attack. Wizards of the Coast should soon be done notifying all affected individuals, and we can only hope that users will get all the information they need in order to keep the damage associated with the leak under control. The thing is, victims should have been notified long ago.

Fidus' researchers tried to responsibly disclose the exposure immediately after they found it, but they got no response from Wizards of the Coast. It wasn't until TechCrunch reached out that the game developer finally sprang into action and pulled the database.

The fact that the leak happened because of a rather simple configuration mistake is worrying. What is more disconcerting, however, is the fact that Wizards of the Coast acted only after the threat of media outlets breaking the story presented itself.

Organizations should start thinking more about protecting people's privacy and security and less about preserving their reputation. The sooner everyone realizes this, the better.

November 20, 2019

Leave a Reply