The US-based company behind the popular online fantasy card game, Wizards of the Coast, exposed its users data after leaving database backup files in a public Amazon Web Services (AWS) storage bucket.

It is believed the data was exposed only for a short period of time, but it was long enough for the lapse to be discovered by UK cybersecurity company, Fidus Information Security (FIS).

The database, which had been compromised since early September, included information such as player names, users names, addresses and the date and time of the account’s creation. It also contained users passwords, which were hashed and salted – although this makes it harder to unscramble the data it is not impossible.

FIS found that the exposed data dated back to at least 2012 with some recent entries dating back to mid-2018. The team also found that none of the data was encrypted.

FIS alerted Wizards to the error but received no response. It was only after TechCrunch contacted the company that it rectified the oversight.

Recommended

Bruce Dugan, a spokesperson for the game developer, told TechCrunch in a statement: “We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company.

“We removed the database file from our server and commenced an investigation to determine the scope of the incident.

“We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data,” but the spokesperson failed to provide any evidence to back up this claim.

“However, in an abundance of caution, we are notifying players whose information was contained in the database and requiring them to reset their passwords on our current system,” he said.

Harriet Lester, Fidus’ director of research and development, said it was “surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.”

Wizards said it had informed the Information Commissioner’s Office (ICO) of the data breach, as required under GDPR. The ICO has yet to respond to the disclosure. Firms failing to comply with GDPR could potentially face a fine of up to 4% of their annual turnover.

Like this: Like Loading...