League of Legends hacked, salted passwords and credit card numbers stolen

Filed Under: Data loss, Featured

Riot Games has confirmed that a recent security breach affecting North American players of its League of Legends real-time strategy game has led to many users' personal information being accessed.

A large amount of data has been stolen including real names, usernames, email addresses and salted password hashes.

Security Update

The security of your information is critically important to us, so we’re really sorry to share that a portion of our North American account information was recently compromised.

What we know: usernames, email addresses, salted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft.

Personal information wasn't all that was acquired through the breach though - Riot also reported that 120,000 transaction records, including hashed and salted credit card numbers were lifted from an old payment system it used up until July 2011.

Additionally, we are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed. The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then.

Storing passwords and credit card numbers that have been hashed and salted is a far more secure option than storing such data in a plain text format but there is still some risk that both could be cracked.

If passwords were weak in the first place then it doesn't take long for a dictionary attack to give hackers access to accounts.

Leage of LegendsRiot certainly seems to think that weak user passwords could be an issue - it's asking gamers in North America to change their passwords to something hard to guess.

League of Legends players will see a prompt next time they attempt to sign into the game or they can change their passwords right now on the site.

Riot is currently developing two new security features in order to better protect its users in the future. But the introduction of two-factor authentication and email verification for new registrations and account changes currently has no implementation date.

League of Legends players may feel that both new security enhancements are long overdue, given that the game experienced a similar breach just last year.

If you are a League of Legends player in North America, go change your password now! And if you've used the same password for other online accounts they are also at risk of being compromised.

Do yourself a favour and choose a different password for every account you operate and, for your own safety, ensure you choose one that is strong and hard to guess.


, ,

You might like

5 Responses to League of Legends hacked, salted passwords and credit card numbers stolen

  1. Daniel Dainty · 428 days ago

    Why aren't you recommending something like Lastpass for password storage and generation?

    Besides the article you did on them about memory lifting, of course.

  2. Mr C · 428 days ago

    If they haven't been using the CCs then why are they still in the DB?

  3. daniellynet · 428 days ago

    Reading the comments on the announcement on League of Legends' site just makes me sad.

    A lot of people giving you "tips" like "change your password to something new, then change it back again!" and a lot of other people complaining about having to change the password saying it is useless and there is no reason for it. :/

    • Lee · 427 days ago

      You have to understand the playerbase of LoL. The game is free to play and is probably the most popular game in the world right now. The number of "trolls" and jerks that play this game is staggering and the sad thing is that the employees of that company condone it.

  4. Mike · 427 days ago

    Need a follow-up with the company to find out the hashing algorithm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.