The developer behind League of Legends, the most popular video game on the planet, announced yesterday that about 120,000 player credit card numbers may have been stolen as just part of an unprecedented hack of its servers.
Riot Games detailed the full extent of the attack in a blog post:
What we know: usernames, email addresses, salted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft.
The developer expressed hope that the impact of that last number would be limited, as they have not collected “this type of payment card information” in their systems since 2011.
Passwords are vulnerable, despite being salted—meaning they’re attached to random strings of data that make it more difficult for hackers to run their usual tricks when trying to decrypt them.
“The password files are unreadable,” Riot Games explained, “but players with easily guessable passwords are vulnerable to account theft.”
For a serious gamer, this can be as bad as hearing that your financial info was swiped, and potentially more devastating on the emotional level. Not every hacker is after money, after all: last October, someone unleashed a bug in World of Warcraft that killed off thousands of characters.
So what exploit did the League of Legends gatecrashers have in mind? An actual heist, or malicious mischief? Either way, Riot Games is taking steps to beef up security, including the implementation of two-factor authentication. But over at CNET, commenters are unimpressed.
“Implementing 2-factor after the fact will be a disaster,” wrote vorthex_. “Bad guy will crack the passwords, log in, change the email address and activate 2-factor on accounts who didn’t change their password, put in the number of a throw away phone, thus locking out the original owner for good.”
“Do all of these extra security measures even matter when the hackers are using modern day database extraction tools to get our data,” asked blazer412.
The hackers at large could probably answer that question, but don’t expect them to. They’re busy working on the next big thing.