Wizards of the Coast, the maker of popular fantasy card game Magic: The Gathering have revealed that they left a copy of their database on shared cloud server without a password, allowing it to be accessed to anyone. The data breach has exposed the personal information of over 452,634 players.
Magic: The Gathering Exposes Games Through Sloppy Security
Amazon Web Services (AWS) data breaches have become commonplace. Among the dozens of organizations that have reported data breaches are Accenture, Dow Jones, Fed Ex, Verizon, WWE and the Republican National Committee and Experian. Now, sadly, gaming company Wizards of the Coast, makers of the popular fantasy card game Magic: The Gathering join these sad ranks. The company revealed that they have exposed the personal information of nearly half a million players. Sadly, this was not even a high-tech hack but an example of sheer carelessness by Wizards
Wizards placed a copy of their database on the popular business cloud computing storage system operated by Amazon and simply left the file with no password protection at all. Anyone could download the file without any security credentials – no hacking required. And download the file they did. The user accounts appear to date from 2012 to 2018 and include name, password, and email among other fields.
Amazon Needs to Enforce Best Practices
While the ultimate fault here clearly lies with Wizards, Amazon can certainly do more to prevent these data breaches. In 2017, Bleeping Computer did a test that revealed that 7% of all AWS S3 servers like these have unrestricted public access and 35% are unencrypted. It’s doubtful that the security practices of its corporate clients have improved and this type of sloppy data management likely continues until this day. While AWS is responsible for maintaining the security of the infrastructure these systems use, that offers no protection companies like Wizard fail to configure the tools properly.
AWS could and must take steps to make sure that wherever possible, its clients encrypt files or at the very least require passwords to gain access. After all, you can’t create an Amazon online retail account without a password, how hard should it be to makes sure files stored on their “buckets” are similarly protected? Put another way, the best deadbolt lock doesn’t do you any good if you fail to use lock the door when you leave.
Unencrypted Credentials Expose Users Across the Internet
For the users, the exposure of this data file is much worse than it might seem at first. Even in a best-case scenario where sensitive personal information like SSN, DoB or payment card information is not included, the inclusion of unencrypted passwords and emails expose the users to tremendous risk. The “hackers” (not really, since they simply downloaded the file!) have login credentials for the Wizards website allowing them to access not only the accounts of these users but also any other website where these users share the same credentials.
If a user’s email address uses these same credentials, the damage could be incredibly widespread. The shared credentials could be used to take over the user’s email account, see which websites they get mail from and access other accounts using these shared credentials. If they wanted to, the user could change the passwords on these accounts, effectively locking the user out of their email or these other accounts and possibly make purchases on accounts where the user’s payment card information is stored. Truly, the potential for damage is only limited by the creativity of the hackers.
MyProfyle’s reminds our readers that as with all data breaches, there is nothing you can do to prevent the problem but there are steps each of us can do to protect ourselves. When we hand over our data or create new accounts, we are entrusting those organizations to be careful caretakers of our information. If they or their partners are not, then our information will be exposed. Even if they are careful, hackers are resourceful and that is why MyProfyle believes that every organization has a data breach eventually.
But that doesn’t mean there’s nothing you can do. First, stop sharing passwords across websites. If you aren’t suing a strong password generator consider doing so immediately. If you are re-using password – even strong passwords, make sure you have different, strong passwords for your most critical accounts like your email and banking accounts and change them often. If hackers gain access to your email, they can reset even the strongest password on your other accounts. Finally, if you haven’t done so already, register for MyProfyle’s Free for Life Identity Protection™, the only free identity monitoring service. Or consider trying our upgraded services that include identity restoration and other benefits.