North American players of Riot Games’ massively popular title League of Legends woke up to a less than enjoyable email this morning. Titled Important Security Update and Password Reset, it covers how a portion of the North American user base had their account information compromised:
What we know: user names, email addresses, salted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft.
Additionally, we are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed. We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them. Our investigation is ongoing and we will take all necessary steps to protect players.
The good news is that since both the password and credit card hashes were salted they’ll be significantly more difficult to crack. At least Riot Games doesn’t have a LinkedIn fiasco on their hands. Regardless, the fact that a 3rd party was able to obtain this information is a pretty dark stain on Riot Games’ reputation. Events like this are what erodes the trust of the players and will maybe make them think twice about breaking out the credit card to buy additional characters next time.
Riot Games obviously has some explaining to do. No mention is made in the email of how the information was compromised or when. The closest we’re getting to a timeframe right now is “recently”. To their credit, though, they’re working on implementing additional security features:
Additionally, new security features that are currently in development include:
- Email verification: all new registrations and account changes will need to be associated with a valid email address (we’ll also require all existing players to provide a valid email address).
- Two-factor authentication: changes to account email or password will require verification via email or mobile SMS.
To their discredit, these features should have already been implemented; waiting until after you suffer a setback like this before taking proper safety precautions seems more than a little negligent. At any rate, if you’re a North American League of Legends player, be on the lookout for a second email about the possibility of your credit card information being impacted if you were using it there in 2011. Hopefully Riot Games will be able to clean this up without too much fallout.