Riot Games has warned players that account information including usernames and email addresses were accessed by hackers, alongside salted password hashes.
The security of your information is critically important to us, so we’re really sorry to share that a portion of our North American account information was recently compromised.
What we know: usernames, email addresses, salted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft.
In addition, the game company warns, approximately 120,000 transaction records containing hashed and salted credit card numbers were accessed from an old payment system that Riot Games used until July 2011.
Additionally, we are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed. The payment system involved with these records hasn’t been used since July of 2011, and this type of payment card information hasn’t been collected in any Riot systems since then. We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them. Our investigation is ongoing and we will take all necessary steps to protect players.
Only North American account holders are said to be affected.
The firm is clearly worried that some players may have passwords that are easy for hackers to crack, and so is resetting users’ passwords and requiring them to choose stronger, harder-to-guess passwords.
In addition, Riot Games says that it is working on additional security systems including email verification for account changes and two-factor authentication. There is no time scale as to when these features might be introduced.
An obvious risk, of course, is that some users’ passwords might be cracked alongside their other personal information. That opens the door for other attacks, if game players have used the same password on multiple websites.
If you do make the mistake of reusing passwords, you are running the risk of having hackers using it to unlock your other online accounts.
Another risk for exposed League of Legends players is that of being targeted by phishing and other email attacks, by cybercriminals tailoring messages designed to appeal to gamers and spamming them out to the long list of email addresses that has been stolen.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.