League of Legends found some of its EU West and EU Nordic and East databases were illegally accessed with some player account information ending up in hackersâ€™ hands, according to an official security warning posted by Marc Merill and by Brandon Beck, co-founders of Riot Games.
According to the same post, password complexity appears to be a main cause of the incident. Although the company encrypts usersâ€™ passwords, they were â€œsimple enough to be at risk of easy cracking.â€
â€œThe most critical data accessed included email address, encrypted account password, summoner name, date of birth, and â€“ for a small number of players- first and last name and encrypted security question and answerâ€ specified the Riot Games officials. The blog post also emphasizes that â€œno payment or billing information of any kind was included in the breachâ€.
League of Legend players, who have been notified by email of the discovered breach, are advised to immediately change their passwords to unique, longer and more complex ones. The Riot Games investigation team made a disconcerting discovery about playersâ€™ security concerns in this direction: â€œWe compared encrypted password hashes and discovered that 11 passwords were shared by more than 10,000 players each. A double-digit percentage of individuals had the same password as at least one other person.â€
Riot Games, on the other hand, admits the attack exploited a security vulnerability that is now fixed and to being â€œhumbled by this experienceâ€.