League of Legends online game joins the League of the Hacked

Online real-time strategy game League of Legends, from Riot Games, is the latest large web property – Wikipedia credits the game with over 32 million registrations and millions of active players every day – to own up to a data breach.

The game is divided into three regions (earthly regions, that is, not regions inside the game itself): North America, EU West and EU Nordic and East.

Riot Games has published its security warning only on the European side of the Atlantic, suggesting that North American players are off the hook:

After thorough and urgent investigation with help from independent security experts, we have determined:

* Hackers gained access to certain personal player data contained in certain EU West and EU Nordic & East databases; as a security precaution, we're emailing all players on these platforms.

* The most critical data accessed included email address, encrypted account password, summoner name, date of birth, and – for a small number of players – first and last name and encrypted security question and answer. (Note: Security question and answer are no longer used in our account recovery process.)

* Absolutely no payment or billing information of any kind was included in the breach

Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking.

Sadly, Riot Games doesn’t actually say when it thinks the breach happened, only that it has now been investigated and reported. Nevertheless, the company’s notification is, in my opinion, frank and helpful. The article was placed in the Latest News section on the main page of the relevant websites, and states fairly clearly what was stolen, and what was not.

(A little more detail on the “encrypted passwords” would have been nice – for example, whether they were simply hashed, or had been salted and repeatedly hashed, thus thwarting a precomputed dictionary attack.)

The disappointing but woefully familiar part is the advice that more than half of the passwords were simple enough to be at risk of easy cracking.

What this almost certainly means is that the security investigators set about cracking the password database themselves – with suitable authorisation, of course – as a way of judging what sort of advice to give. If they could quickly recover half the passwords, so could a hacker.

Even with salting and repeated hashing, a dictionary attack is possible, albeit much more slowly than with unsalted, singly-hashed passwords. And hackers try the most obvious passwords first, so that the weakest accounts get cracked soonest.

Computer security is supposed to be something we do out of community spirit, and for altruistic reasons.

But that doesn’t mean we can’t aim to be better and safer than everyone else – especially when it comes to choosing decent passwords (and not using the same password on multiple sites).

Remember the joke about the two blokes out in the bush who come upon a pack of hungry lionesses out on the hunt? For a moment they’re both frozen in terror. Then the first bloke suddenly tears off his hiking boots, slips on the trainers he usually wears in camp, and tosses his rucksack aside.

The second bloke says, “Man, you’re dreaming. You’ll never outrun those lions.”

To which the first fellow replies, as he turns to sprint away, “I don’t have to outrun the lions. I only have to outrun you.”

NB. Thanks to Naked Security reader Kjell-Arvid Helgeneseth for writing to us about this issue.