Yesterday, League of Legends developer Riot Games detailed in a blog post that accounts for their North American customers would require a password reset due to a recent security breach.
“The security of your information is critically important to us, so we’re really sorry to share that a portion of our North American account information was recently compromised,” said Riot in their post.
In addition, Riot states that about 120,000 “transaction records” from 2011 had been accessed, all of which contained hashed or salted credit card numbers for their customers.
In case you aren’t familiar, hashing is a process where data is pushed through a complex algorithm to produce a fixed-length value. A salt is a random value used in a hash algorithm to make it more secure. Hashing is used to verify the integrity of data and protect sensitive information, like passwords. Common hash algorithms include md5 and SHA-1.
There’s no telling what the fallout of this will be, but if Riot is being truthful the blow may be softened if the information is in fact from 2011—there’s a good chance that a lot of customers have changed credit card numbers since then. However, personal information like names, addresses, and phone numbers would still be exposed.
In response, Riot is forcing their North American players to change their passwords immediately. The developer also claims to be working on new security features to include e-mail and two-factor authentication.
Not to be too harsh, but verification of accounts through e-mail should be something they’re doing already. While not a perfect solution, e-mail verification can prevent a lot of unauthorized account access attempts and adds another layer of defense.
Two-factor authentication can be a great solution if done correctly; other gaming companies like Blizzard—the makers of World of Warcraft—have implemented an authenticator device as a way to protect their players. Even still, a simple SMS message to your phone would likely be enough for League of Legends gamers.