Riot Games has confirmed that a recent security breach affecting North American players of its League of Legends real-time strategy game has led to many users’ personal information being accessed.
A large amount of data has been stolen including real names, usernames, email addresses and salted password hashes.
The security of your information is critically important to us, so we’re really sorry to share that a portion of our North American account information was recently compromised.
What we know: usernames, email addresses, salted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft.
Personal information wasn’t all that was acquired through the breach though – Riot also reported that 120,000 transaction records, including hashed and salted credit card numbers were lifted from an old payment system it used up until July 2011.
Additionally, we are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed. The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then.
Storing passwords and credit card numbers that have been hashed and salted is a far more secure option than storing such data in a plain text format but there is still some risk that both could be cracked.
If passwords were weak in the first place then it doesn’t take long for a dictionary attack to give hackers access to accounts.
Riot certainly seems to think that weak user passwords could be an issue – it’s asking gamers in North America to change their passwords to something hard to guess.
League of Legends players will see a prompt next time they attempt to sign into the game or they can change their passwords right now on the site.
Riot is currently developing two new security features in order to better protect its users in the future. But the introduction of two-factor authentication and email verification for new registrations and account changes currently has no implementation date.
League of Legends players may feel that both new security enhancements are long overdue, given that the game experienced a similar breach just last year.
If you are a League of Legends player in North America, go change your password now! And if you’ve used the same password for other online accounts they are also at risk of being compromised.
Do yourself a favour and choose a different password for every account you operate and, for your own safety, ensure you choose one that is strong and hard to guess.