Riot Games is now the latest in an increasingly long list of gaming behemoth to fall victim to hacking. A hacker was able to gain access to 120,000 North American League of Legends usernames, email addresses, transaction records, salted password hashes, and full names. The passwords are unreadable, but the information gained will make accounts with easily guessed passwords vulnerable.
All information accessed was from 2011, and the records don’t contain any info after July of 2011. Emails have been sent out to all affected players and Riot is prompting all NA players to change their passwords the next time they log in.
Interestingly, the hacker has apparently been very vocal about his exploits. In multiple posts which have since been deleted from the official League of Legends forums, the hacker insisted he didn’t steal the information in order to use it, but instead hacked Riot’s servers in order to show Riot that their server and account security was subpar. Indeed just last year the League of Legends EUW servers fell victim to a similar hack.
In response to the hacks, Riot intends to implement stronger security features which are currently in development. The email sent out to players breaks down the new security measures as follows:
Email verification: all new registrations and account changes will need to be associated with a valid email address (we’ll also require all existing players to provide a valid email address). Two-factor authentication: changes to account email or password will require verification via email or mobile SMS.
For a game that regularly sees millions of players log in daily, one would have expected to see such standard features a while ago.