League Of Legends Latest Victim – Hacked

League Of Legends (LOL) a popular free to play online strategy game is the latest victim of the hacking sprees this week.  Wikipedia states that there is over 32 milion players that play League Of Legends.  [pullquote]As of November 2011, League of Legends had over 32 million registrations and averages millions of players per day, with the number of concurrent users online at any given time peaking over half a million, doubling its player base in 4 months.[/pullquote] The game is divided up into three areas (earthly regions, i.e. not regions inside the game itself): North America, EU West and EU Nordic and East.

Riot Games, the company behind this popular online strategy game has issued a security warning only on the European servers, North Americans players are hoping that have not been hit.

 

The Damage:

After thorough and urgent investigation with help from independent security experts, we have determined:

* Hackers gained access to certain personal player data contained in certain EU West and EU Nordic & East databases; as a security precaution, we're emailing all players on these platforms.

* The most critical data accessed included email address, encrypted account password, summoner name, date of birth, and – for a small number of players – first and last name and encrypted security question and answer. (Note: Security question and answer are no longer used in our account recovery process.)

* Absolutely no payment or billing information of any kind was included in the breach

Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking.

Riot Games has not stated when the breach occured, so it could have happened weeks ago.  Riot games states that it was reported and now being investigated.  They also didn’t make clear how protected the players information was, hopefully the information was at least encrypted and salted.

Riot states what is going to happen and what actions they will take to secure their servers:

• We’ve fixed the specific security issue that hackers exploited.
• Over the next 24 hours, we’ll be notifying all EUW and EUNE players via email; although only a portion of players might have been affected, we consider broader notification a good security precaution.
• We’ll be updating this post with the latest on this situation and will monitor comments here for questions that require further clarification.
• Our investigation into this issue is ongoing – we’ve hired experts and are working with the relevant authorities to more thoroughly understand causes, culprits, and preventative measures to make future breaches less likely.
• We’ve redirected teams to quickly implement new security measures that will help improve the safety of your data.
• We’ll continue to invest in security measures, including password hashing and data encryption, state-of-the-art firewalls, SSL, security ninjas, and other security measures to make your info safer. We’ve been humbled by this experience and know that nothing guarantees the security of Internet-connected systems such as League of Legends. We can simply promise to try our very best to protect your data.

Many people are wondering if it’s also the same people that got into LinkedIn’s and Last.fm’s servers.  If so, there seems to be a pretty big security hole these hackers have found and these companies are currently running on their servers.  Hopefully security researches will find this exploit soon and patch it, but this is only the beginning, as if this can happen once, it will sure happen again and companies are now seeing that they have to put a lot more money into securing their servers and pen-testing services.