The popular online “battle arena” game League of Legends has suffered a major security breach which exposed account information for North American players, as well as transaction records from 2011 including encrypted credit card numbers.
The game’s makers, Riot, have initiated a password reset and announced new security measures after the leak. League of Legends averages more than 12 million players per day, and is one of the most popular videogames in competitive gaming, with championships offering prizes of up to $1 million.
It’s the latest in a series of major breaches affecting game’s companies. ESET’s tips for PC gaming security can be found here.
“Usernames, email addresses, salted password hashes, and some first and last names were accessed,” Riot said in a statement this week. “This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft.
Additionally, we are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed.”
Riot announced a password reset, saying, “We’ll require players with accounts in North America to change their passwords to stronger ones that are much harder to guess.” The company also announced two in-development security upgrades, including a new requirement for all accounts to have a valid email address, and a two-factor authentication system which would require verification via SMS for any change to an account’s email or password.
Riot said in its statement that players potentially affected by the credit card breach would be notified: “The payment system involved with these records hasn’t been used since July of 2011, and this type of payment card information hasn’t been collected in any Riot systems since then. We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them.”
It’s the latest in a series of breaches affecting games companies – with both Ubisoft and Nintendo targeted this year.
Crytek, the German developer of the hit shoot ‘em up series Crysis also took its websites offline this month after a security breach in which user login details “may have been compromised.”
Ubisoft’s Uplay service suffered a data breach in July, with the company warning users that personal data including email addresses, user names and encrypted passwords had been compromised. Uplay works across platforms such as PC, Xbox 360, iOS and Facebook. The Uplay system requires users to log in with an email or password, and offers digital extras such as screensavers for PC games, but also works as a Digital Rights Management system (DRM) to prevent copying.
Earlier this summer, a sustained brute force cyber attack hit Nintendo’s Club Nintendo site in Japan, and allowed cybercriminals access to private data such as names, addresses and phone numbers for up to 24,000 accounts. The “brute force” attack carried on from 9 June to 2 July this year – involving 15.5 million attempted logins, according to the Japan Times.
Author Rob Waugh, We Live Security