League of Legends North American account information 'compromised'
Riot Games confirmed today that a portion of their North American account information was "recently compromised." Usernames, email addresses, salted password hashes, and even some first and last names were accessed.
"This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft," Riot explained. As of right now, Riot estimates that approximately 120,000 transaction records from 2011 that contained hashed and salted card numbers have been accessed.
"The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then," Riot said. "We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them. Our investigation is ongoing and we will take all necessary steps to protect players."
As a precaution, Riot will require North American players to change their passwords to ones that are much harder to guess, and to help prevent this sort of thing from happening Riot is working on new security features:
- Email verification: all new registrations and account changes will need to be associated with a valid email address (we’ll also require all existing players to provide a valid email address).
- Two-factor authentication: changes to account email or password will require verification via email or mobile SMS.
"We’re sincerely sorry about this situation. We apologize for the inconvenience and will continue to focus on account security going forward," Riot concluded. We'll keep you updated as we learn more.