Citation :
Dear Wizards Community:
We are writing to let you know about a recent security incident at Wizards of the Coast.
What Happened? On November 14, 2019, we learned that an internal database file from a decommissioned version of the Wizards of the Coast website login had inadvertently been made accessible outside the company. We believe that this was an isolated incident, limited to a legacy database and unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data. However, in an abundance of caution, we are sending you this notice to let you know what happened, what steps we are taking as a result, and what steps we are encouraging you to take to protect yourself.
What Information Was Involved? The database file included the following types of information: first and last names, email addresses, and passwords stored in “hashed and salted” format. This means that the passwords were not stored in plain text but were secured cryptographically. No payment or other financial information was included in this database.
What Are We Doing? Upon learning of this incident, we removed the database file from our server and commenced an investigation to determine the scope of the incident. In an abundance of caution, we are notifying the users whose information was contained in the database. For those of you that have an active Wizards account(s) (e.g., Arena, Magic Online, etc.), you have 7 days to reset your password(s). After that, your password(s) will be manually reset, and you will be required to make new password(s) to login.
For Arena, you may reset your password here: https://myaccounts.wizards.com/
For Magic Online, you may reset your password in the game client.
For DCI accounts, you will receive an email with instructions on how to reset your password.
What Can You Do? As always, it is best practice not to use the same password on multiple systems. While we do not have reason to believe that the data involved has been used maliciously, we still encourage you to change your password if you have used this password for other accounts on non-Wizards systems.
For More Information If you have any questions about this incident please contact us at: https://support.wizards.com/hc/en-us or by phone at 1 (800) 324-6496. Please do not provide any personal information in response to this email.
Your privacy matters. We take this issue very seriously and we apologize for the inconvenience.
Sincerely, Wizards of the Coast
Le mot de passe sera réinitialisé automatiquement sous 7 jours si vous êtes concernés. Cependant il vaut mieux le réinitialiser au plus tôt. Et surtout, changer le mot de passe sur tous les sites
où vous utilisez le même, à commencer par les boîtes mails (qui peuvent être utilisées pour générer de nouveaux mots de passe sur la plupart des sites où vous avez associé cette adresse mail !).
Il semblerait que la fuite concerne 3 services (MTGO, Arena, comptes DCI), mais je ne sais pas si le fait de changer le mot de passe sur l'un de ces services le change aussi sur les 2 autres (possible vu que la base de données était commune). A vous de voir (je ne suis inscrit sur aucun des trois, donc ne peux vérifier).
Citation :
Ça c'est de la phrase intelligente: votre mot de passe étaient protégés, sauf qu'en fait ils ne l'étaient pas :o)
Aucun chiffrement n'est infaillible. En l'occurrence il ne s'agissait d'ailleurs même pas de chiffrement mais de hachage (+ salage) - ce qui veut dire que même Wizards n'est pas en mesure de retrouver le mot de passe d'un utilisateur à partir de cette information (contrairement à du chiffrement, où la clé de déchiffrement permettrait de retrouver le mot de passe). Ce n'est pas une technique infaillible non-plus, mais les risques sont tout de même
extrêmement limités. Le plus embêtant dans tout ça, c'est probablement plus la fuite de données personnelles que le risque lié au craquage du mot de passe.
Légende
AVATAR
Légende