League of Legends US accounts hacked, credit card details could be at risk
League of Legends' database has been hacked, again, although this time it's US players who have had their details compromised, as announced on the LoL blog. "What we know: usernames, email addresses, salted password hashes, and some first and last names were accessed." Along with 120,000 transaction records from 2011 - so if you have a US account and you used your card on the LoL store a couple of years ago, you're going to want to keep a close eye on your bank account. Riot are "taking appropriate action to notify and safeguard affected players", and within the next day they'll be enacting a mandatory password change, which will require NA accounts to pick something safer. Something like, I dunno, Password2?
Here's the full story, from the League of Legends blog:
"The security of your information is critically important to us, so we’re really sorry to share that a portion of our North American account information was recently compromised.
"What we know: usernames, email addresses, salted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft.
"Additionally, we are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed. The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then. We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them. Our investigation is ongoing and we will take all necessary steps to protect players."
Thankfully, Riot Games will be introducing new security features in the wake of this latest breach, including "email verification: all new registrations and account changes will need to be associated with a valid email address (we’ll also require all existing players to provide a valid email address)" and "two-factor authentication: changes to account email or password will require verification via email or mobile SMS."
Riot's Marc Merrill and Brandon Beck concluded the post by saying that "we’re sincerely sorry about this situation. We apologize for the inconvenience and will continue to focus on account security going forward."