Hackers Exploit League of Legends Vulnerability; 11 Passwords Shared by 10,000 Players Each
League of Legends found some of its EU West and EU Nordic and East databases were illegally accessed with some player account information ending up in hackers’ hands, according to an official security warning posted by Marc Merill and by Brandon Beck, co-founders of Riot Games.
According to the same post, password complexity appears to be a main cause of the incident. Although the company encrypts users’ passwords, they were “simple enough to be at risk of easy cracking.”
“The most critical data accessed included email address, encrypted account password, summoner name, date of birth, and – for a small number of players- first and last name and encrypted security question and answer” specified the Riot Games officials. The blog post also emphasizes that “no payment or billing information of any kind was included in the breach”.
League of Legend players, who have been notified by email of the discovered breach, are advised to immediately change their passwords to unique, longer and more complex ones. The Riot Games investigation team made a disconcerting discovery about players’ security concerns in this direction: “We compared encrypted password hashes and discovered that 11 passwords were shared by more than 10,000 players each. A double-digit percentage of individuals had the same password as at least one other person.”
Riot Games, on the other hand, admits the attack exploited a security vulnerability that is now fixed and to being “humbled by this experience”.