Yesterday, League of Legends developer Riot Games detailed in a blog post that accounts for their North American customers would require a password reset due to a recent security breach.
“The security of your information is critically important to us, so we’re really sorry to share that a portion of our North American account information was recently compromised,” said Riot in their post.
In addition, Riot states that about 120,000 “transaction records” from 2011 had been accessed, all of which contained hashed or salted credit card numbers for their customers.
In case you aren’t familiar, hashing is a process where data is pushed through a complex algorithm to produce a fixed-length value. A salt is a random value used in a hash algorithm to make it more secure. Hashing is used to verify the integrity of data and protect sensitive information, like passwords. Common hash algorithms include md5 and SHA-1.
There’s no telling what the fallout of this will be, but if Riot is being truthful the blow may be softened if the information is in fact from 2011—there’s a good chance that a lot of customers have changed credit card numbers since then. However, personal information like names, addresses, and phone numbers would still be exposed.
In response, Riot is forcing their North American players to change their passwords immediately. The developer also claims to be working on new security features to include e-mail and two-factor authentication.
Not to be too harsh, but verification of accounts through e-mail should be something they’re doing already. While not a perfect solution, e-mail verification can prevent a lot of unauthorized account access attempts and adds another layer of defense.
Two-factor authentication can be a great solution if done correctly; other gaming companies like Blizzard—the makers of World of Warcraft—have implemented an authenticator device as a way to protect their players. Even still, a simple SMS message to your phone would likely be enough for League of Legends gamers.
Hackers are always looking for a way into popular online attractions like League of Legends, whether it’s for financial gain, or just showing off their skills. But fun for some can mean a lot of headaches for others. It’s unfortunate to say that security breaches like these happen all the time; just last month we blogged about a similar situation with Ubisoft getting hacked. It’s equally unfortunate that consumers are the paying the price for these attacks along with the companies.
The enhanced features from Riot should go a long to protect their customers, but security begins with you, so make sure you’re at least using complex passwords for all of your logins. Also, think carefully before you allow companies to store your credit card information, as it’s possible they could be the next victim of a cyberattack.
Who will the next victim be?
Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth analysis on current malware threats. He has over 5 years of experience working with US defense intelligence agencies where he analyzed malware and developed defense strategies through reverse engineering techniques. His articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. Follow him on Twitter @joshcannell