Wizards of the Coast have had to contact some customers about a possible cybersecurity incident.
The email uses the phrase “In an abundance of caution”, and it does seem as if the gaming giant is playing safe. They’re certainly moving quickly as the potential vulnerability was only detected this week.
If you’ve not had the email, you should be okay, but the problem is with old and decommissioned data. If you have had a DCI account, you may want to check the email address you used with that.
Here’s the email in full;
Dear Wizards Community:
We are writing to let you know about a recent security incident at Wizards of the Coast.
What Happened? On November 14, 2019, we learned that an internal database file from a decommissioned version of the Wizards of the Coast website login had inadvertently been made accessible outside the company. We believe that this was an isolated incident, limited to a legacy database and unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data. However, in an abundance of caution, we are sending you this notice to let you know what happened, what steps we are taking as a result, and what steps we are encouraging you to take to protect yourself.
What Information Was Involved? The database file included the following types of information: first and last names, email addresses, and passwords stored in “hashed and salted” format. This means that the passwords were not stored in plain text but were secured cryptographically. No payment or other financial information was included in this database.
What Are We Doing? Upon learning of this incident, we removed the database file from our server and commenced an investigation to determine the scope of the incident. In an abundance of caution, we are notifying the users whose information was contained in the database. For those of you that have an active Wizards account(s) (e.g., Arena, Magic Online, etc.), you have 7 days to reset your password(s). After that, your password(s) will be manually reset, and you will be required to make new password(s) to login.
For Arena, you may reset your password here: https://myaccounts.wizards.com/
For Magic Online, you may reset your password in the game client.
For DCI accounts, you will receive an email with instructions on how to reset your password.
What Can You Do? As always, it is best practice not to use the same password on multiple systems. While we do not have reason to believe that the data involved has been used maliciously, we still encourage you to change your password if you have used this password for other accounts on non-Wizards systems.
For More Information If you have any questions about this incident please contact us at: https://support.wizards.com/hc/en-us or by phone at 1 (800) 324-6496. Please do not provide any personal information in response to this email.
Your privacy matters. We take this issue very seriously and we apologize for the inconvenience.
Sincerely, Wizards of the Coast
Join in the conversation below or teleport over to the chat portal to join in the conversation elsewhere on the site.