Riot Games, the developers of the popular League of Legends MOBA (Multiplayer Online Battle Arena) have issued a press statement concerning recent hacks that resulted in critical, player-sensitive information being stolen off the League of Legends servers.
Riot Games developers Marc Merill and Brandon Beck caution all players to reset their passwords for both their League of Legends profiles and e-mail addresses and urge players to be wary of unauthorised credit card purchases.
“What we know: usernames, email addresses, salted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft.”
“Additionally, we are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed. The payment system involved with these records hasn’t been used since July of 2011, and this type of payment card information hasn’t been collected in any Riot systems since then. We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them. Our investigation is ongoing and we will take all necessary steps to protect players.”
Players can reset their password through a secure link provided by Riot Games, and are cautioned to be wary of social engineering attacks that may look like they’re coming from Riot Games.
Riot Games have also announced that they are proceeding with implementing new security measures which will be available as soon as possible. These include:
- Email verification: all new registrations and account changes will need to be associated with a valid email address (we’ll also require all existing players to provide a valid email address).
- Two-factor authentication: changes to account email or password will require verification via email or mobile SMS.
Salted passwords are plain text passwords encrypted with an algorithm that produces a hashed result of letters and numbers, seemingly at random. Salted hashes are easier to implement and more time-consuming to crack than properly encrypted authentication schemes.
Passwords can be cracked if the hacker has enough salted hashes and password guesses to figure out the algorithm and break any information secured using the hash, which is why Riot Games will keep a close watch on those identified 120,000 account records that were stolen.