MTG Arena and Magic Online suffer security data breach

All players will need to reset passwords within the next seven days.

Throne of Eldraine
Image via Wizards of the Coast Magic: The Gathering

A data breach has been reported by Wizards of the Coast, affecting MTG Arena and Magic Online users.

According to an email sent to affected users, Wizards of the Coast had a legacy database breach occur on Nov. 14. The incident is being reported as non-malicious. And that the information was obtained outside the company. 

“Dear Wizards community, we are writing to let you know of a recent security incident at Wizards of the Coast,” WotC said. “On Nov. 14, we learned that an internal database file from a decommissioned version of the WotC login had inadvertently been made accessible outside the company.

“We believe this was an isolated incident related to a legacy database and is unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data.”

Here is what was on the Wizards of the Coast MTG Arena and Magic Online database file:

  • First and last name
  • Email address
  • Password

According to WotC, the passwords on the file were stored in hashed and salted form, meaning they were secured cryptographically and are extremely difficult to decipher. No payment or financial information was on the database that was breached.

Once WotC became aware of the breach, it launched an investigation to determine the scope of the incident. As a precautionary measure, Wizards of the Coast is asking all MTG Arena and Magic Online users to change their passwords in the next seven days. 

Some players may have not received an email because their information was not on the database. But those players are still required to reset their passwords within the next seven days, or WotC will manually reset them.  

Here is how a Magic player can reset their passwords:

  • MTG Arena:
  • Magic Online: In the game client
  • DCI accounts: Players will receive an email on how to reset the password.

Related: Twitch Esports is hosting MTG Arena tournament following Magic B&R

The response by WotC has been quick regarding the data breach and for now, it seems that the company has everything under control.