League of Legends Hacked, Riot Games react
Overnight, Riot has made a number of steps to help players affected by the recent League of Legends account info hacks.
Riot said that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been illegally accessed. The developer clarified that these are associated with North American accounts, and that while the password files that hackers could have access are NOT readable, those with easily guessable passwords are vulnerable to account theft.
In order to protect League of Legends players who may fall prey to account theft, credit card fraud and other hacker attacks, Riot will be contacting all players connected to the compromised accounts via the email associated with the accounts.
All players with NA accounts will also need to change their passwords to stronger ones to make them harder to guess, said Riot.
Associate product manager Veruco said in the forums that new rules require passwords to be between 8 and 30 characters long, contain at least 1 number, contain no slashes or spaces, and "must not be easily guessable," which basically means it should not have common words or words that have been previously used to steal other accounts (which Riot keeps a list of).
Logging into the game will trigger an automatic alert to start the password change process, but fans reading this can be proactive and change their password here.
New security features
Riot has also promised new security features that will be rolled out soon.
These include an email verification process akin to what is standard in mmo games these days, wherein all new registrations and account changes will need to be associated with a valid email address. Existing players will need to provide a valid email address as well.
Second, Riot is also porting in another security tradition from the online rpg and credit card worlds -- two-factor authentication, wherein changes to account email or password will require verification via email or mobile SMS.
Yes, even if you have a strong password you'll be required to change it. However, if you've changed your password since the maintenance last night, you won't be required to as you would have used the new pw standards we put in place
Credit card fraud FAQ
Riot also advises fans that may be in danger of or have been a victim of credit card fraud due to the security breach to read this Credit Card Fraud FAQ. It lists the possible actions players can take to limit the damage and also lists the agencies and organizations that can be contacted for additional assistance.
Associate producer Chager also clarified in the forums that since July 2011, Riot no longer collects any payment card info on any Riot servers, which should help assure fans who created accounts after that date that their credit card information and other such sensitive data will not be compromised.