Wizards security breach - Change your passwords

Wizards sent out an email warning about a security breach in their systems, while their investigations lead them to believe it has not been used for anything malicious we recommend you change your password and also if you use the same passwords on other important things. 

To expand on the "hashed and salted" format it means that the password is salted with a specific string before it is encrypted making it very hard to figure out your password without knowing their secret string. How safe this mechanism is also depends on what encryption algorithm they use which is not stated.

The link to reset the password is not quite right as it leads you to the login screen. If you want to reset your MTGA Password you have to click the forgot password button and put in your email address. This is the link you want to use: https://myaccounts.wizards.com/forgot 

One good thing to come out from GDPR is that companies now are obliged to send out information like this when compromised to EU citizens or face big fines instead of hiding said information and hoping for the best. Use this useful links in regards to checking if there are any obvious breach to your email or passwords:

https://haveibeenpwned.com/ 

https://haveibeenpwned.com/Passwords 

Original email from Wizards:

Dear Wizards Community:

We are writing to let you know about a recent security incident at Wizards of the Coast.

What Happened?
On November 14, 2019, we learned that an internal database file from a decommissioned version of the Wizards of the Coast website login had inadvertently been made accessible outside the company. We believe that this was an isolated incident, limited to a legacy database and unrelated to our current systems. Based on our current investigation, we have no reason to believe that any malicious use has been made of the data. However, in an abundance of caution, we are sending you this notice to let you know what happened, what steps we are taking as a result, and what steps we are encouraging you to take to protect yourself.

What Information Was Involved?
The database file included the following types of information: first and last names, email addresses, and passwords stored in “hashed and salted” format. This means that the passwords were not stored in plain text but were secured cryptographically. No payment or other financial information was included in this database.

What Are We Doing?
Upon learning of this incident, we removed the database file from our server and commenced an investigation to determine the scope of the incident. In an abundance of caution, we are notifying the users whose information was contained in the database. For those of you that have an active Wizards account(s) (e.g., Arena, Magic Online, etc.), you have 7 days to reset your password(s). After that, your password(s) will be manually reset, and you will be required to make new password(s) to login.

• For Arena, you may reset your password here: https://myaccounts.wizards.com/
• For Magic Online, you may reset your password in the game client.
• For DCI accounts, you will receive an email with instructions on how to reset your password.

What Can You Do?
As always, it is best practice not to use the same password on multiple systems. While we do not have reason to believe that the data involved has been used maliciously, we still encourage you to change your password if you have used this password for other accounts on non-Wizards systems.

For More Information
If you have any questions about this incident please contact us at: https://support.wizards.com/hc/en-us or by phone at 1 (800) 324-6496. Please do not provide any personal information in response to this email.

Your privacy matters. We take this issue very seriously and we apologize for the inconvenience.

Sincerely,
Wizards of the Coast