League of Legends breach leaks passwords, credit cards

August 21, 2013 // 9:17 a.m.

Tags: #credit-card #data-breach #esports #hash #insecurity #league-of-legends #passwords #riot-games #salt #security #vulnerability

League of Legends developer Riot Games has admitted to a security breach which has seen attackers make off with usernames, passwords and credit card details of some 120,000 of its customers.

League of Legends, released in 2009, quickly became one of the most popular competitive multiplayer games around. Tournaments are often held with prize funds in the thousands of pounds - but some ne'er-do-wells have found an easier way to use the game to get rich: stealing credit card details.

The company has confirmed that attackers have made off with data held on its North American customers including usernames, email addresses, password hashes, and first and last names. More worryingly, around 120,000 transaction records from 2011 were also accessed - including hashed credit card numbers.

'The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then,' a statement on the matter attributed to Riot's Marc Merril and Brandon Beck claims. 'We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them.'

The seriousness of the breach is somewhat mitigated by the company's data protection measures: all passwords and credit card details held on the system were scrambled using a one-way hash function and further protected using a salt - meaning two identical passwords will generate two different hashes, making brute-force attacks on the database significantly more difficult.

That doesn't mean attacks are impossible, however with common passwords, especially those that can be found in a dictionary, will likely have had their passwords cracked already; credit card numbers, meanwhile, are also susceptible to brute force attacks despite their length thanks to the use of only digits in their make-up.

'As a measure to make your accounts safer, within the next 24 hours we’ll require players with accounts in North America to change their passwords to stronger ones that are much harder to guess,' the company's statement adds. 'Additionally, new security features that are currently in development include: email verification: all new registrations and account changes will need to be associated with a valid email address (we’ll also require all existing players to provide a valid email address); two-factor authentication: changes to account email or password will require verification via email or mobile SMS.

'We’re sincerely sorry about this situation,' the company concludes. 'We apologise for the inconvenience and will continue to focus on account security going forward.'

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU