Yesterday was a banner day for cybercriminals. A blog post from Riot Games founders Marc Merrill and Brandon Beck revealed an attack on League of Legends, one of the world’s most popular online video games. (It boasts more than 70 million registered users.)
The hackers stole approximately 120,000 salted (that is, randomly encrypted) credit card numbers, password hashes, usernames and e-mail addresses. Riot Games explained that only North American users who used their old payment system from before July 2011 might be affected, and added that players with easily guessable passwords are more vulnerable to account theft. Shocker.
“We are taking appropriate action to notify and safeguard affected players,” wrote Beck and Merrill. “We will be contacting these players via the e-mail addresses currently associated with their accounts to alert them. Our investigation is ongoing and we will take all necessary steps to protect players.”
Riot Games is implementing a host of new security measures to prevent future breaches, including requiring all North American users to change their passwords to stronger ones. They’re also developing features such as e-mail verification and two-factor authentication, which requires confirmation via e-mail or SMS text for account changes.
No hackers have claimed responsibility for breaching League of Legends, but this attack is one of many against online games in recent years. In July, Assassin’s Creed creator Ubisoft had e-mails and passwords hacked, and Riot’s European League of Legends players had account data compromised in 2012.
The companies’ continual response of the same prevention methods, adopting stronger passwords and further verification, needs a serious overhaul. Look how well it’s worked out so far.
DDoS bank robbers hack wire transfers, steal millions
League of Legends wasn’t the only high-profile security breach uncovered yesterday, and nowhere near the most expensive.
Avivah Litan, vice president and distinguished analyst at research firm Gartner, reported that at least three banks in the past several months that have fallen prey to “low-powered” distributed-denial-of-service (DDoS) attacks, losing millions of dollars.