We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

European League of Legends game players have their account data compromised

League of Legends developer notifies users that hackers have breached its European databases

Hackers have stolen account data from the European servers of popular real-time strategy game League of Legends (LoL), the game's developer, Riot Games, announced on Saturday.

According to figures published by Riot in November 2011, there are over 32 million registered accounts on the three LoL servers: North America, EU West (EUW) and EU Nordic & East (EUNE).

"Hackers gained access to certain personal player data contained in certain EU West and EU Nordic & East databases," Riot Games founders Marc Merrill and Brandon Beck wrote in a blog post on Saturday.

The compromised account data included email addresses, encrypted passwords, player names and dates of birth. No payment or billing information was exposed as a result of this security breach, Merrill and Beck said.

For a small number of players, their first and last names, as well as their encrypted security questions and answers, were also compromised. However, security questions and answers are no longer used in LoL's account recovery process, the Riot co-founders said.

Not all EUW and EUNE accounts were affected, but the company decided to notify all players using those servers via email as a precaution.

Riot did not specify when or how the breach occurred, citing an ongoing investigation performed by outside security experts and law enforcement authorities. However, its notification was otherwise frank and helpful, said Paul Ducklin, the head of technology for the Asia Pacific region at antivirus vendor Sophos.

Unlike other companies that suffered data breaches in the past, Riot published a short analysis of the compromised passwords. "Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking," Merrill and Beck said.

Furthermore, a double-digit percentage of individuals used the same password as other users and 11 particular passwords were shared by over 10,000 players each, the Riot co-founders said.

"What this almost certainly means is that the security investigators set about cracking the password database themselves -- with suitable authorisation, of course -- as a way of judging what sort of advice to give," Ducklin said. "If they could quickly recover half the passwords, so could a hacker."

Affected users were advised to change their passwords on the LoL website, as well as on any other website where they might have used them. Passwords should be unique for every important account, they should consist of 8 or more characters and should be a mix of letters, numbers, and special characters, Merrill and Beck said.

Users were also warned to be on the lookout for possible phishing emails claiming to originate from Riot and seeking more information. Such emails are a common occurrence following data breach incidents.

The League of Legends data breach notification follows similar announcements from LinkedIn, eHarmony and Last.fm, which alerted their users last week that their account passwords might have been compromised.

It is very important for users to limit the impact of such security breaches by using unique passwords for every online account. There are free password management applications that simplify the task of working with multiple passwords.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

Hands-on with Sony's latest smartglasses

IDG UK Sites

Apple TV expert tips: get US Apple TV content, watch Google Play, use multiple Apple IDs and more