An email was sent to certain Wizards of the Coast accounts today about a security breach regarding a legacy database. The affects accounts have been urged to reset their passwords – be sure to check your spam mail as well especially if your account had been created a while ago. Below is the copy of the email sent.
Dear Wizards Community:
We are writing to let you know about a recent security incident at Wizards of the Coast.
What Happened? On November 14, 2019, we learned that an internal database file from a decommissioned version of the Wizards of the Coast website login had inadvertently been made accessible outside the company. We believe that this was an isolated incident, limited to a legacy database and unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data. However, in an abundance of caution, we are sending you this notice to let you know what happened, what steps we are taking as a result, and what steps we are encouraging you to take to protect yourself.
What Information Was Involved? The database file included the following types of information: first and last names, email addresses, and passwords stored in “hashed and salted” format. This means that the passwords were not stored in plain text but were secured cryptographically. No payment or other financial information was included in this database.
What Are We Doing? Upon learning of this incident, we removed the database file from our server and commenced an investigation to determine the scope of the incident. In an abundance of caution, we are notifying the users whose information was contained in the database. For those of you that have an active Wizards account(s) (e.g., Arena, Magic Online, etc.), you have 7 days to reset your password(s). After that, your password(s) will be manually reset, and you will be required to make new password(s) to login.
For Arena, you may reset your password here: https://myaccounts.wizards.com/
For Magic Online, you may reset your password in the game client.
For DCI accounts, you will receive an email with instructions on how to reset your password.
What Can You Do? As always, it is best practice not to use the same password on multiple systems. While we do not have reason to believe that the data involved has been used maliciously, we still encourage you to change your password if you have used this password for other accounts on non-Wizards systems.
For More Information If you have any questions about this incident please contact us at: https://support.wizards.com/hc/en-us or by phone at 1 (800) 324-6496. Please do not provide any personal information in response to this email.
Your privacy matters. We take this issue very seriously and we apologize for the inconvenience.
Sincerely, Wizards of the Coast
For players logged in already, you must log out first and go here https://myaccounts.wizards.com/forgot to make a new password.
If you have not been sent this email, that means your account is on the new database and remains unaffected, but it is best to practice safe account security measures such as using strong passwords.