'League of Legends' accounts hacked, North American users targeted

Video game company Riot Games revealed this week that the servers for its popular online game
Video game company Riot Games revealed this week that the servers for its popular online gameRiot Games

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
By Yannick LeJacq

"League of Legends" servers were recently hacked in a security breach that exposed the account information of some of the popular online game's North American customers, video game developer Riot Games said in a statement Tuesday.

One of the most popular and formative games in a Web-based genre known as "multiplayer online battle arena," League of Legends has long been a target of hackers. Last June, some users' account information was exposed in an attack by the LulzSec hacking group, and it's been breached again, by an unknown assailant.

"What we know: usernames, email addresses, salted password hashes, and some first and last names were accessed," Marc Merrill, president, and Brandon Beck, CEO of Riot Games wrote in a security update posted on the "League of Legends" website.

"Salted"? "This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft," wrote the Riot execs. In other words, they're not fully encrypted — if they were, servers wouldn't be able to tell if you were using the right password — but they are extremely hard for outsiders to crack, especially if they're long.

Merrill and Beck said that some 120,000 transaction records, which include user information like hashed and salted credit card numbers, could have been obtained in the hack. Without knowing whether or not the security of North American "League of Legends" players' financial information was compromised, Riot said that it will require players in the region to change their passwords within the next 24 hours "to stronger ones that are much harder to guess."

The security breach apparently took advantage of an outdated portion of Riot's user account system that stored information on financial transactions. "The payment system involved with these records hasn't been used since July of 2011," Merrill and Beck said, "and this type of payment card information hasn't been collected in any Riot systems since then."

In response to the security breach, they said that Riot is developing two new security features — email verification and two-factor authentication. No date was given for when these new measures will be introduced to the "League of Legends" community. 

Yannick LeJacq is a contributing writer for NBC News who has also covered technology and games for Kill Screen, The Wall Street Journal and The Atlantic. You can follow him on Twitter at @YannickLeJacq and reach him by email at: Yannick.LeJacq@nbcuni.com.