Sign in with
Sign up | Sign in

League of Legends Latest Target in Gaming Hacking Spree

By - Source: League of Legends | B 9 comments

Even hashed and salted credit card numbers were accessed.

The League of Legends website reports that a portion of its North American account information was recently compromised. The popular MMO is the latest in a string of game-related website hackings that seemingly started with Ubisoft back in June and moved through Konami, Bohemia Interactive, Club Nintendo Japan, several Crytek sites and possibly more. The site states that League of Legends usernames, email addresses, salted password hashes, and some first and last names were accessed.

"We are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed," the site states. "The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then."

MORE: Is It Safe to Sign Into Other Sites Using Facebook?

The League of Legends team is now taking appropriate action to notify and safeguard affected players by contacting them via email addresses currently associated with their accounts. Having salted password hashes means that the password files are unreadable, but if players are currently using easily guessable passwords, then they will be vulnerable to account theft. Players are now encouraged to change their passwords to stronger ones that are much harder to guess.

"Our investigation is ongoing and we will take all necessary steps to protect players," the team states. "As a measure to make your accounts safer, within the next 24 hours we’ll require players with accounts in North America to change their passwords to stronger ones that are much harder to guess. At such time, you’ll be automatically prompted to change your password when you attempt to log in to the game."

The League of Legends team is currently working on two new security features to protect players: email verification and a two-factor authentication. With the former solution, all new registrations and account changes will need to be associated with a valid email address. With the latter, changes to an account email and/or password will require verification via an email or mobile device SMS.

In addition to the possible credit card retrieval, one of the big concerns is that the information acquired by the hackers is nearly identical on other game accounts used by the victims, including passwords. While it can be a pain, a good rule of thumb is to have different passwords for different accounts so that one doesn't compromise an entire string of services.

Security blogger Graham Cluley suggests that users not able to keep up with a multitude of usernames and passwords should take advantage of software solutions such as LastPass, 1Password and KeePass. In some cases Google's own Authenticator app will work if the game service supports this feature.

"We’re sincerely sorry about this situation," the League of Legends team stated. "We apologize for the inconvenience and will continue to focus on account security going forward."

Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 3 Hide
    kracker , August 21, 2013 12:11 PM
  • 2 Hide
    skit75 , August 21, 2013 12:14 PM
    I've seen more and more websites also holding onto old cc information even if they are expired with no easy way to remove the information and I ask, why? Why cannot I remove card information that does not exist. Why do you insist on holding that information? Is that legal?
  • 2 Hide
    10hellfire01 , August 21, 2013 1:19 PM
    I'm still extremely curious as to why this person (or people) are targeting developers. The only thing I can think of is that it's some sort of vendetta, or possibly a random genre of targets, which happened to be developers.

    Makes me wonder too why they aren't targeting publishers, since generally most people hate them more over developers.
  • Display all 9 comments.
  • 0 Hide
    wifiwolf , August 21, 2013 3:10 PM
    At least they have salted hashes
  • 0 Hide
    Dylan Orr , August 21, 2013 6:45 PM
    Them having the hashes sucks.. salted or not it is just a matter of processing power and time to decrypt to plain text.
  • 0 Hide
    americanbrian , August 22, 2013 4:09 AM

    Companies are required to keep records of every transaction they process for the past 7 years in case they get audited by Inland revenue. I would not be surprised if they kept the payment details along with each transaction.
  • 0 Hide
    skit75 , August 22, 2013 10:57 AM

    Keep a record of our transaction.... I've got no problem with that. The bean counters can get everything they need from a sales order. I don't see why they would need my expired cc information on a transaction made with company X, 5 years ago. Actually, I do know why, personal data and content are the currency of the future.
  • 0 Hide
    GNCD , August 23, 2013 12:22 PM
    Comes with the territory. 30 million accounts. nuff said.
  • 0 Hide
    GNCD , August 23, 2013 12:23 PM
    And yeah, nerf Irelia.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS