League of Legends Accounts Compromised

League of Legends Accounts Compromised

All North American League of Legends players will be prompted to change their passwords.

Just a heads up that Riot Games has reported that a portion of North American League of Legends account information was recently compromised. Usernames, email addresses, salted password hashes, and some first and last names were accessed. Riot claims that "salted password hashes" are unreadable, but players with easily-guessed passwords may have their accounts compromised. As a precaution, all North American players will soon be prompted to reset their passwords.

Additionally, Riot is investigating a theft of approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers. Again, Riot assures us that salted credit card numbers are "unreadable", that the payment system involved with these records hasn't been used since July of 2011, and that this type of payment card information hasn't been collected in any Riot systems since then.

Riot says it is taking the necessary steps to notify and safeguard affected players, but it wouldn't hurt to keep an eye on your credit card transactions in the near future if you have ever bought Riot Points from the League of Legends store.

As well as being prompted to change your password by Riot e-mail, you can manually do it yourself by clicking this link. Riot tells us that it is working on some additional security features to make sure this doesn't happen again, such as e-mail verification for account changes, and mobile SMS authentication.

"We're sincerely sorry about this situation. We apologize for the inconvenience and will continue to focus on account security going forward," said Riot Games' Marc Merrill and Brandon Beck.

Source: Riot Games

Permalink

EU West FTW!!!!

Was a little annoyed when I read the title though, I'd had the game on my computer for 6 months but only starting playing 2 days ago. Would've been pissed if my account had suddenly been compromised as soon as I start playing.

OCE's okay, right?

Please let OCE be ok.

Oh, and my heart goes out to everyone on NA who'll be deprived of their Webcrack for however long this takes to sort out.

Ninjat_126:
OCE's okay, right?

Please let OCE be ok.

Oh, and my heart goes out to everyone on NA who'll be deprived of their Webcrack for however long this takes to sort out.

No outages, they did a security update last night and once everyone changes their passwords, life will resume.

Luckily, most people I know use pre-paid cards for money purchases anyway.

OH NO- oh wait I don't play LoL anymore nor US.

Carry on.

I'd not be surprised if every online game company has had their database compromised at least once... there just doesn't seem to be any fail-safe way to store info without inconveniencing users further.

AHahaha, salted password hashes unreadable?

Bull to the shit. Unreadable without cracking them first maybe, but it's disgustingly easy to crack that stuff even at script kiddy level. Stop lying Riot.

Arstechnica has loads of articles about how easy it is to crack salted password hashes.

"At any given time, Redman is likely to be running thousands of cryptographically hashed passwords though a PC containing four of Nvidia's GeForce GTX 480 graphics cards. It's an "older machine," he conceded, but it still gives him the ability to cycle through as many as 6.2 billion combinations every second."

See
http://arstechnica.com/security/2012/08/passwords-under-assault/
and
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
for more.

I'm not surprised. Back when I used to play LoL, I regularly saw people exploiting the shitty server security to fuck with the game. When I got past a certain level, it was happening almost every other fight. And there's youtube videos galore where people brag about how easy the league servers are to hack and break (by which the video makers actually mean, "use premade programs to exploit loopholes that I downloaded from untrustworthy software sites and now I have a shit-ton of viruses on my computer that I don't know about, lolnoobz!). Its why I stopped playing LoL.

Elate:
AHahaha, salted password hashes unreadable?

Bull to the shit. Unreadable without cracking them first maybe, but it's disgustingly easy to crack that stuff even at script kiddy level. Stop lying Riot.

Maybe their salted passwords also have a little pepper in them, making it more spiicy than when it's just salt?

On Topic:

I hope nothing more serious comes out of this.
Often you see stories like this and then they don't continue in any way, someone just wanted to prove that he/she could get info from their databases I guess.

Good thing i don't spend any money on LoL or i might be worried.

This article doesn't even take into account all the drama on the forums. There's a player named PvP behind a lot of this. Even if he's just a mouthpiece for someone who's actually doing it, he's definitely involved.

Here's the run down:

XJ9 (fag) boosted GEM (whore) in ranked and then it turned out she was just using him. He spewed his toxin all over the forums and the game and was eventually permabanned. Some strange shit went down and then everyone started calling for GEM to be permabanned. Some white-knight was changing the forums posts of people saying bad things about GEM and was even hacking their accounts and transferring them to other regions. The latest I saw was this dude that had his NA account sent to Oceania.

So people were posting in a mega-thread on the forums about the security issues and for a while there was no response. Then finally they got one and it was some passive cover-up type post. Turns out that the dude hacking the accounts managed to get a hold of some Riot accounts and was using his status to try and play off the issue. Riot eventually regained control and actually deleted the thread because it was full of "Rioters" posting false information.

Chat between Godtrox (hacked player) and PvP (hacker). Oh and "Pikachu" is GEM. Somehow she got priority in the name change when Riot did a sweep of unused account names.

Part 1: http://i.imgur.com/iZE0amo.png
Part 2: http://i.imgur.com/fWiH6zN.png
Part 3: http://i.imgur.com/82YPQMl.png
Part 4: http://i.imgur.com/suoLXeA.png
Part 5: http://i.imgur.com/01nMmk4.png
Part 6: http://i.imgur.com/eg8RfKD.png

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here