North American players of the popular League of Legends online game are advised to change their passwords as soon as possible, as a breach of Riot Games’ servers resulted in the compromise of critical account information.
According to an announcement from the company, only a portion of their North American account information was accessed, and that includes names, usernames, email addresses, and salted password hashes belonging to the users.
In addition to this, some 120,000 transaction records predating July 2011 have also been accessed, and they contain hashed and salted credit card numbers.
“The payment system involved with these records hasn’t been used since July of 2011, and this type of payment card information hasn’t been collected in any Riot systems since then,” the company noted, but failed to share what specific hashing and salting methods they employ, and how secure they are.
“We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them,” they promised.
They warned that the passwords of the affected players will have to be changed within the next 24 hours, and that players will be prompted to do so when they attempt to log in to the game.
They also announced that users can expect two new security features to be implemented soon: email verifications for all new registrations and account changes, and two-factor authentication for changes to account email or password.
If you are a player of the game, go change your password immediately to a longer and more complex one, and don’t change it to a password you are already using for another online service account. Also, do it by going to the official website by yourself – don’t follow any links.
If you receive an email that is apparently coming from Riot Games, warning you about the breach and asking you to share information (whether personal, financial or account) or to follow an offered link to change your password, you can be pretty sure it’s a bogus email sent by identity thieves or cyber crooks.