Even hashed and salted credit card numbers were accessed.
The League of Legends website reports that a portion of its North American account information was recently compromised. The popular MMO is the latest in a string of game-related website hackings that seemingly started with Ubisoft back in June and moved through Konami, Bohemia Interactive, Club Nintendo Japan, several Crytek sites and possibly more. The site states that League of Legends usernames, email addresses, salted password hashes, and some first and last names were accessed.
"We are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed," the site states. "The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then."
The League of Legends team is now taking appropriate action to notify and safeguard affected players by contacting them via email addresses currently associated with their accounts. Having salted password hashes means that the password files are unreadable, but if players are currently using easily guessable passwords, then they will be vulnerable to account theft. Players are now encouraged to change their passwords to stronger ones that are much harder to guess.
"Our investigation is ongoing and we will take all necessary steps to protect players," the team states. "As a measure to make your accounts safer, within the next 24 hours we’ll require players with accounts in North America to change their passwords to stronger ones that are much harder to guess. At such time, you’ll be automatically prompted to change your password when you attempt to log in to the game."
The League of Legends team is currently working on two new security features to protect players: email verification and a two-factor authentication. With the former solution, all new registrations and account changes will need to be associated with a valid email address. With the latter, changes to an account email and/or password will require verification via an email or mobile device SMS.
In addition to the possible credit card retrieval, one of the big concerns is that the information acquired by the hackers is nearly identical on other game accounts used by the victims, including passwords. While it can be a pain, a good rule of thumb is to have different passwords for different accounts so that one doesn't compromise an entire string of services.
Security blogger Graham Cluley suggests that users not able to keep up with a multitude of usernames and passwords should take advantage of software solutions such as LastPass, 1Password and KeePass. In some cases Google's own Authenticator app will work if the game service supports this feature.
"We’re sincerely sorry about this situation," the League of Legends team stated. "We apologize for the inconvenience and will continue to focus on account security going forward."