Sigh: League Of Legends Has Been Hacked

By Jim Rossignol on June 9th, 2012 at 11:06 am.


PC Gamer have spied that LoL are sounding the alarm, with player passwords and dates of birth having been grabbed. You know the drill, get in there and change your passwords/when you were born, etc.

, .

125 Comments »

  1. Joseph-Sulphur says:

    The second link is broken, it links to the cover image.

    • Randomer says:

      I think it bears mentioning that the hack only seems to have affected EU West and EU Nordic & East databases. So if you are on the North America server, your password should be fine.

      • ShineyBlueShoes says:

        Though the way these things have gone with this sort of business recently it’s still prudent to change your password at least regardless of your region.

  2. Premium User Badge Anthile says:

    I really need a third hand for myself.

    • Vorphalack says:

      ”Yo dawg we heard you like hands so we put a hand on your back so you can clap while you fap.”

      Pimp my……self?

  3. CaspianRoach says:

    I want to change when I was born in real life. Can I do that?

  4. Shortwave says:

    This game has been out a really long time now yea?
    Sort of crazy it took this long for an exploit such as this to appear.
    I wonder if it was related to a recent patch.

    • Namey says:

      This kind of stuff generally has absolutely nothing to do with the game and it’s development. It’s not a game exploit, but rather a security breach in the servers/database that hold user information.

  5. Premium User Badge Revisor says:

    … and start using KeePass to generate and manage all your passwords. Really. It’s the best thing you can do for your online security this year.

    http://www.keepass.info/

    To answer your questions before you articulate them:

    1. You can press a keyboard shortcut to autofill your password in any application. Not only browser, but file managers etc. as well.
    2. It works on all platforms known to man. Win, Linux, iOS, you name it.
    3. You can synchronize your password database across devices with Dropbox, Skydrive, GDrive and similar services. Very handy.

    Instead of thanking me for changing your life, spread the password-manager-goodness further, to your friends and family.

    Edit: Just checked, my RPS password has ~50 random 0-9a-Z chars. All ~200 passwords in the database are unique. And the best thing? It gets autofilled for me, I don’t have to do anything, remember anything, type anything.

    As Solidstate89 says, you can also try LastPass, another password manager, this one online and for browsers. And there are more. It’s not important which one you choose, but start using that password manager right now.

    I have experience with KeePass so that’s what I recommend.

    • rei says:

      I really should, considering how lazy I am with my passwords.

      EDIT: yes, I was wondering about #3, thanks! :D

    • stupid_mcgee says:

      KeePass is great. I also highly recommend it. I have a few passwords that I remember for certain services, but the vast majority are random codes generated by KeePass. So very, very useful.

    • somini says:

      For added security, you can use SpiderOak as a Cloud Service, since it encrypts everything in your computer.
      https://spideroak.com/download/referral/1762c2f9d2fed837be9c056767827fd6
      Shameless referral for and added 1GB for both of us.

    • Dana says:

      Which wont help you at all in such cases.

      • Premium User Badge Llewyn says:

        The benefit of KeePass comes from simplifying the management of unique passwords; that is, helping you to ensure that the loss of your LoL password doesn’t compromise any other accounts you might have.

        If you’re already using unique passwords for everything then you’re right that it doesn’t help at all. Otherwise it helps enormously.

        • Dana says:

          Hmm, thats true. I use unique passwords for important services like bank account or game accounts. I use the same on sites of low importance, like Internet forums or other sites.

    • Solidstate89 says:

      Or you can use LastPass and it’ll sync between all of your browser instances in real-time. I can’t even imagine not using a Password manager anymore. Having a completely different password for every single website I have a sign-up for is a little calming. I think when the Bioware forums were hacked it didn’t bother me one bit because it was some 15-character long random jumble of letters, numbers and symbols that is completely unique to that one and only website.

      There are dozens of password managers out there. I prefer LastPass, KeePass is another great option too. Basically, just pick one. It’s so easy to do you don’t have an excuse not to use one.

      • LionsPhil says:

        Or even just write them down in a little book. *OMINOUS THUNDERCLAP*

        Anybody with physical access to your house has already completely outdone being able to say “penis” in your name on the Internet, especially if you let your browser save your less-important passwords for convenience anyway and they’ve made off with your valuable computer equipment. If it means you can choose stronger, unique passwords where network-exposed, a weakpoint in a known location with physical security may be an acceptable tradeoff. (It’s also more robust about some indie game quietly sneaking in a trojan that lies in wait for you to unlock your keychain.)

        • Solidstate89 says:

          Lastpass doesn’t store anything locally on your machine, that’s one of the differences between it and KeePass. It stores it on Lastpass’ servers and it’s encrypted client-side as well before its hashed and salted again on LastPass’ servers. They don’t know your password, and they can’t look at what you have because it’s been encrypted on both your side and server side.

          Yes, if someone has your computer you’re already finished. But it wouldn’t do them any good as far as getting my passwords is concerned because it’s not stored on my computer.

          • LionsPhil says:

            In theory, your LastPass login could be keylogged.
            In practice, sure, I’m not trying to deter people from using a password manager—I do. I do mean the “or” up there—do anything other than re-using passwords, or using crap ones, even if it means having to (HORRORS) write them down.

            (But not in a shared office environment or anything, duh.)

          • Solidstate89 says:

            Well yeah sure, in theory it could have. I could also have been simultaneously infected with Flame and Stuxnet, but the point is nothing is ever truly secure, you just do whatever and everything you can to mitigate any possible attack vectors.

            If you want to be 100% security, never connect to the internet and shut-off all of your USB ports in the BIOS so you couldn’t possibly mount any infected flash drives.

      • mmalove says:

        My concern with going this route, (IE my reasoning for not yet doing so), is that if KeyPass or whatever service I chose is compromised, it would have the same impact.

        • Solidstate89 says:

          It would be difficult for KeePass to be compromised given the fact it doesn’t run on any servers. It’s just encrypts all of your passwords locally and if you do want to share them, the easiest way is with a cloud sharing service like Skydrive or Dropbox.

          LastPass has actually already has a security scare, but unlike every other company I’ve seen they actually handled exactly how you should expect and because of that, it’s why I still use Lastpass.

          Basically they noticed unusual traffic going to their servers. They couldn’t verify what it was so they went all President of Madagascar on it and literally shut everything down, disconnected all of their servers and forced everyone’s Lastpass browser installations into off-line mode. They then repaired whatever security flaw they had, re-hashed and re-salted every single password and had everyone change their master password that encrypts the passwords client side (on your computer) before it ever even reaches their servers.

          They still haven’t actually been able to confirm whether it was a breach and whether they got anything. They believe they found it quick enough that they weren’t able to compromise any information, but they didn’t take that chance. They went into complete lockdown and that kind of act inspired some confidence in their service and it’s the only reason I’m still using LastPass instead of moving to a more off-line, less centralized manager like KeePass.

    • Ricc says:

      KeePass is highly, highly recommended. Started using it gaming services started to get hacked a lot more, like one or two years ago. (Maybe that’s just when it started to concern me. Anyways.) Now all my passwords are unique and I don’t have to remember them. Super useful.

    • ShineyBlueShoes says:

      Think I’ll check that out. Too bad it would completely screw me if I used it with my google account since my phone uses the same account.

      • Premium User Badge Revisor says:

        I don’t know what phone you have, but there are apps on iOS as well as Android.
        As for iOS I recommend KyPass.

        I synchronize the password database with Dropbox, it’s free and effortless.

        Go for it!

  6. DiamondDog says:

    What I want to know is, now that half the world has my name, address and date of birth due to constant hacks, why don’t I get more birthday cards?

    • grundus says:

      I think all the offers of free iPads and gift vouchers sent to your email is their way of expressing their love.

      • Njordsk says:

        Though those “size-increaser” offers are starting to get me worried, I don’t recall giving me thingy size on any site.

        Might have been drunk though

    • Namey says:

      My strictly no-nonsense email is getting constant spam these days, and I never use it for anything remotely shady. It has been a part of a mass user information leak before, though. I wouldn’t be surprised if that’s why I keep getting spam in it.

  7. celozzip says:

    wtf is league of legends?

    • Ringwraith says:

      A rather addictive competitive multiplayer DotA-like (sorry, MOBA), game with a bunch of dross disguising itself as a community at the lowest rung.

      • Vicho says:

        Yes nothing like being raged at by an 8 year old because you failed to press XYZ at precisely the right time and in the right order.

        • DiamondDog says:

          XYZ buttons don’t do anything in League of Legends you idiot GOD WHAT IS WRONG WITH YOU! F**K NOOB C**T!

          **** ****.

          ****.

      • dE says:

        A community that has stepped up to the challenge of proving that it is in fact possible to be worse still than those of Counter-strike or Call of Duty. League of Legends for instance has a rather nasty streak of bigotry and racism.
        It’s curious though that the MOBA Games have slightly different communities – yet each is total arse.

        • The Great Wayne says:

          Well, actually it’s in no way curious.

          The moba genre promotes that, for a loss on one side is doubly beneficial to the other team (you hamper the enemy, and you gain gold/xp).

          Therefore, a bad player or a careless one is really dragging the whole team down, on so many levels it’s silly. Therefore causing rage, etc. Also the fact that a game can play along 45mins – 1 hour, and that you mostly only gain points if you win are a real bummer if your game is ruined by one of your own teammates.

          In short : specific environment creates specific behaviour. That said, while I agree that MOBA communities are awful, LoL rly isn’t the worst. DOTA / HoN, I’m looking at you.

          • LionsPhil says:

            It sounds like they took everything that’s wrong with PVP RTS play against anyone you can’t laugh with and doubled the intensity.

          • dE says:

            Yes, I’ve heard TBs theory.
            The mechanics are only part of the problem though. The by far bigger influence are the unwritten rules of each specific community, those that govern what’s acceptable and encouraged behavior and what’s shunned and rejected.

            Quick example:
            Quake 3 – Modding your game to the max? Go for it, it’s cool.
            Counter-Strike – Having a custom weapon model? Banworthy.

            As such, while the mechanics of MOBAs promote a certain kind of rage, it’s the community as a whole that sanctions and encourages bad behaviour.

          • Milky1985 says:

            DOTA is only worse cause of the elitism that comes with the game being harder to pick up than lol, there are a lot more mechanics that you need to use and sod all training (and less people who are willing to accept noobs (for once the legitiamate use of the phrase, the new player)

            Because of that elitism you have the terrible behaviour with the attitude behind it as well :/

        • EPICTHEFAIL says:

          Heroes of Newerth says hi, ***** ***** ************.

        • Joshua Northey says:

          This, and to be a complete snot, the age/intellect of those it attracts. Many of the MOBA games I have seen as mods of other games are the haven of the least mature, least sophisticated portion of the player-base. 13 year old’s just are not very well mannered generally, put them behind the great anonymous internet shield and they turn into little more than gibbering monkeys.

    • Yuri says:

      When asked about any primarily multiplayer game, every community is “the worst”.
      Call of Duty, Heroes of Newerth, DotA, Battlefield, etc. No exceptions, each and every one of them is “the worst”.

      Solution to the problem: play with friends. That’s what its meant for anyway.

      Also, LoL currently has 12 million players and continues to get regular updates every 2 weeks with new playable champions and constant improvements.

      It’s actually one of the best F2P games out there. I wouldn’t say “the” best, since TF2 exists.
      But alas, it’s close enough, offering an insane amount of entertainment.

      Also, the competitive scene for LoL is enormous. Makes me wonder why RPS don’t exactly report anything about LoL. This is the first news post about it that i’ve seen on this site.

      • LionsPhil says:

        I dunno, I’ve had plenty of OK randoms and semi-randoms in plenty of games. The old Alien Swarm for UT2004, TFC, TF2 (admittedly on selective servers), Altitude, Red Alert: A Path Beyond…you get the odd complete bell-end, but the community in general can manage to just play the game and be pleasant enough. Possibly helps but all but the “selective server” one up there are less than completely mainstream, but I’m not about to call TFC “niche” either.

        Meanwhile anything involving Counterstrike is a toxic hole.

      • Jay says:

        ‘When asked about any primarily multiplayer game, every community is “the worst”.
        Call of Duty, Heroes of Newerth, DotA, Battlefield, etc. No exceptions, each and every one of them is “the worst”.’

        Used to be, maybe. I think it’s pretty much universally agreed these days that DOTA-likes ran away with the crown some time ago. Though to be fair, I think LoL’s considered one of the friendlier ones. If only because HoN seems to have set some kind of strange new benchmark in hostility.

        • Reefpirate says:

          Probably because HoN is still clinging to a sense of relevance.

        • Psychopomp says:

          It has a lot to do with the fact that the HON devs are almost unanimously the raging douchebag DOTA stereotype. Why would they punish the guys who respond to “hi, I’m new. Any advice?” with “OMG NOOB KILL YOURSELF” when they *agree* with them?

      • Spengbab says:

        No, just no. Played plenty of multiplayer games, the MoBA stuff has got the worst dregs of them all, or maybe those games just bring out the worst in players.

      • Hoaxfish says:

        As someone who doesn’t really play any of them… dota/moba games definitely come across as the ones most talked about in regards to how terrible the communities are.

      • Strangerator says:

        MUDs have good communities for a few simple reasons…

        1. No graphics – so they require imagination
        2. Lots of reading and highly complex systems
        3. Newbies coming in who express “modern sensibilities” tend to be shunned by the community, and quickly quit.

        All of these things drive the average player age upward, and make for a far more reasonable community… though of course there is always “that guy”.

        I guess another important factor is the typically small playerbase, making the community more tightly-knit.

        • FunkyBadger3 says:

          All that’s true, but it in no way dissipates the chance of them being control-freaks and/or maniacs. In fact, the smallness and close-knittedness positively encourages it…

      • LintMan says:

        “When asked about any primarily multiplayer game, every community is “the worst”.
        Call of Duty, Heroes of Newerth, DotA, Battlefield, etc. No exceptions, each and every one of them is “the worst”.”

        That’s not really true. While you’ll find jackasses everywhere online, there were and are plenty of multiplayer communities that don’t have that sort of overall bad rap. I’m not online much anymore, but Team Fortress Classic had a really great community, IMHO. And there’s plenty of other multiplayer games you don’t hear so many community complaints about and don’t seem to have such a bad reputation. I haven’t played Diablo 3, but D2 had a decent community, and I’d guess D3 is the same (notwithstanding the network problem outrage).

        The games with the bad rep seem mostly to be either MOBA games, the big multiplatform shooters, or fighting games. But even among those, the only ones where the developers are constantly being asked how they will address the problems of having a terrible community are the MOBA games.

  8. Jon says:

    “11 passwords were shared by over 10,000 players each”. – Come on people, that’s just asking for trouble.

    • jon_hill987 says:

      “This is a free to play game I’m going to use “qwerty” as I don’t really care and am not going to spend cash on it” were probably their thoughts.

      • gwathdring says:

        I do that, sometimes. Because, if I really don’t give a crap about the account … why waste the time creating a new safe password or mimic a password from a service I do care about? All of my passwords are unique except for my passwords for these sorts of accounts. If I change my mind and really become an active member of one of these website communities or of the FTP game or whatever the account is for, I change my password accordingly.

        That way I only have to remember one password for all the throwaway crap and I don’t have to pour through cryptic clues on an encrypted drive to figure out what the password is. I could use a password generator, but I like this method for now. Decent, unique passwords for stuff like RPS, the same crap password for stuff like Fileplanet, and randomly generated passwords for anything with financials attached.

  9. MeestaNob says:

    RPS staff: Was there any further developments regarding the server intrusion reported on Steam a few months ago?

    • LionsPhil says:

      IIRC, that was only their forums?

      (And, seriously, props to them for keeping separate systems separate, and not swallowing the whole “single federated sign-on so we can track people across the web” thing. Gabe knows what his business is, and it’s selling games, not selling his users to marketing* like every free social platform, at least.)

      * This is not the same as saying that Valve never release aggregate info about game popularity or opt-in hardware surveys.

  10. 0positivo says:

    oh wow, I got an email about it, but I trashed automatically thinking it was phishing. Damn

  11. mr.ioes says:

    last.fm, linkedin, eharmony, league of legends. Who’s next? rockpapershotgun?

    “Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking. ”
    Why don’t they force people then to make good passwords? Other services do that too … why not all?

  12. hemmingjay says:

    Did the hack only affect EU? No news about it on the NA LoL site.

  13. Belsameth says:

    And, let me guess, they didn’t bother to use a salted hash… because, obviously, hacks like this only happen with others so why bother…

    • Captchist says:

      Was wondering this myself:

      “We store passwords in encrypted form” – says to me, we use salted hashes, and we do multiple hashes. That’s what encrypting a password is.

      But then they say: ““Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking.”

      The simplicity of the password is NOT an issue if you are salting your hashes. So clearly they ballsed up somewhere and either they don’t salt, or the salt got stolen in the hash too. How do companies manage to screw this stuff up every day…

      • Premium User Badge Llewyn says:

        Nonsense, simplicity of passwords is absolutely an issue. You have to assume, if the database containing the hash has been compromised, that the methods used to generate that hash have also been compromised. Therefore your assailant can generate a dictionary of hashes from their dictionary of common passwords and match that against the hashes retrieved from the databases. For the thousands that match he can be effectively certain that he now has the original passwords used.

        Salting and hashing are not a substitute for using strong passwords.

        • LionsPhil says:

          that the methods used to generate that hash have also been compromised.

          If you’re not using a published, proven cryptographic hash function, but something you came up with in the shower and think you need to keep secret, you’ve failed already.

          Therefore your assailant can generate a dictionary of hashes from their dictionary of common passwords and match that against the hashes retrieved from the databases.

          The very point of salt is to render that impractical by bulking the grouped instances of “passw0rd” into distinct “passw0rdABCDE” and “passw0rdFGHIJ” and so on. You have to go for slower one-by-one brute-forcing.

          • Captchist says:

            Well and to clarify that. Salting doesn’t necessarily mean padding.

            Typically you would do the following:

            Take “passw0rd”

            Pad it out to a set length:

            “passw0rdasdfghjkl”

            Then salt it. I.e. use some psudo random data to twist the password:

            “passw0rdasdfghjkl” combined with “39dfs@G4t’tsdgfhsdf934rn” to give you some amalgamation of that password which now looks like giberish:

            “fde3r’gre’t450gaa@CV~@XC}}”

            Then you hash THIS password using a well known and respected hash (i.e. not MD5)

            To get a password hash:
            “oirj2309r09f0we-f9dfsf324u9u120-u2n” and then you store THAT.

            This method works regardless of how simple the password is so long as you don’t lose the salt in the attack.

            The only time the simpleness of the password is a risk is if:

            1. People are just trying random passwords to login – they might guess yours
            But this doesn’t need people to hack in to Riot, it just needs somebody to start guessing. You can do this any time.

            2. You don’t pad and salt your passwords before you hash them and an attacker steals the hashed passwords. Then they can look for common hashes which represent common passwords. For example “passw0rd” would always hash to “xyzab220-0″ so any time they see that they can guess it might be “passw0rd”

            3. You do pad and salt, but the attacked stole the salt in the attack as well. You shouldn’t be storing your salt and your hashes in the same place. They should be in securely distinct places.

          • Premium User Badge Llewyn says:

            @Captchist: Yes, assuming you’ve not lost the salt. But it’s ridiculously naive to assume that if you’ve lost the hashes because of other security failings.

          • LionsPhil says:

            Even if the attacker has the salts and the hashes, they still have a tougher time of it than if the passwords were unsalted, since the thousand accounts that all used “passw0rd” won’t have the same hash, and rather than being able to build a mapping like this, and looking up hashes in it backwards (for which there are clever optimizations):
            “passw0rd” – > 1234
            “qwery” -> 5678
            You’ve got this (still going for concatonating salts for simplicity of demonstration):
            “passw0rdABCDE” -> 9375
            “passw0rdFGHJI” -> 2086
            “qwertyABCDE” -> 1997
            “qwertyFGHJI” -> 5733
            So it really, really bloats up the size of lookup table you’d need: more working memory required, more hashes to compute (and they’re designed to ideally not be particularly fast).

            In practice you get a lot of benefit even if the salt is stored with the hash.

          • Premium User Badge Llewyn says:

            @LionsPhil: I didn’t at any point claim that proper salting is not providing a significant benefit. What I said was that it wasn’t a substitute for strong passwords. It absolutely isn’t.

            Once you’ve been completely compromised any password which can be discovered via a dictionary attack can still be recovered from the salted hash, it ‘merely’ takes in this case 12 million times as many hashing calculations to retrieve them as it otherwise would. It’s not trivial but it’s not security.

            As an aside, why would there be any significant increase in working memory requirements? Each hash calculation is an independent process.

          • LionsPhil says:

            I was actually replying to Captchist, but:
            If you’re going to hash them one at a time (which is what salt basically forces), you’re going to be there a while. Without salt, you can, in feasible amounts of storage, pre-process a lot of that, and look up passwords much more quickly. It is an optimisation—as is a dictionary attack. Using non-dictionary words may stop someone finding your password in such a shortlist, but given “merely” more time, they can still step through every possible representation of characers up to the maximum password length, and they will get yours.

            Almost all security is a question of time to break; there is no “perfect” passwording. One-time-pad is the only exception for encryption; I’m not sure offhand if there’s an information-theoretically secure partner for authentication.

            This is why it tends to be a bit of an arms race, after all; it’s not just flaws being found with old algorithms that let corners be cut, it’s also that things like secure hashes have to be made more computationally expensive to keep up with greater amounts of affordable processing power. This is why tunably-slow hashes like bcrypt exist. (See also.)

        • Captchist says:

          “Salting and hashing are not a substitute for using strong passwords.”

          You are absolutely correct, but for a slightly different reason.

          You should use a strong password so people don’t guess it.

          When it comes to people stealing passwords however what is important is not the strength of the password, it’s the strength of the hashing and salting process.

          • Premium User Badge Llewyn says:

            You’re making the assumption that the salt hasn’t been lost. That’s a deeply flawed assumption. Once the salt’s been lost all the salting and hashing do for you is buy time by increasing the number of hashing calculations required by the number of users you have, and hopefully requiring a relatively significant amount of computation per calculation.

            100bn hashes are not a trivial thing to generate, but that’s not providing any significant level of security. Which leads us back to salting and hashing not being substitutes for strong passwords.

          • Captchist says:

            I’m makingthe assumption the salt hasn’t been lost because if you do it right you store your salt and you store your hashed passwords in different places with different security. If they haven’t done that, they are making basic mistakes.

            Given the statements they have made – it sounds like the salt WAS lost. In which case I am presuming they ARE making basic mistakes

          • LionsPhil says:

            I’m curious as to where you’re getting this salt-and-hash separate idea, since both components are needed to check the password, and both are stored together in, for example, the shadow password database on UNIX-like systems.

          • Captchist says:

            In a situation where I have a web login, I’m storing my hashed passwords in a database.
            I am specifically not keeping my salt in that same database.

            So getting hold of the database of hashed passwords should not give you the salt needed to generate/check them.

            So yes of course you need to be able to get hold of the salt to do a password comparison. But you should not be able to get it by just hacking the server and dumping the database.

          • Belsameth says:

            What capt said.
            Dumping a database with username and passwords is something alltogether different then getting the salt, as that should be stored somewhere even more securely then the password database.

            Sure, strong passwords help but the strength of the password almost doesn’t matter when the hash isn’t salted. Brute forcing is very, very fast nowadays :)

          • LionsPhil says:

            But you should not be able to get it by just hacking the server and dumping the database.

            But the same can be said of the hashes, ideally. You have a simple access problem here: to verify the password, the login mechanism has to retrieve both. In what way are you going to make one “more secure” to get at than the other, and conversely, why would you not make the other that “secure”? You’ve ultimately got to stash yourself some user:salt:ciphertext triples somewhere.

            An attacker getting hold of the user:salt mappings is not the same as not having salted passwords, unless that attacker is only interested in targeting one specific user. For the more common case of wanting as many valid logins as possible, they still have more combinations to worry about, and at most can hope to batch a few lookups together, depending on salt size and quality of random number generation.

      • Asurmen says:

        This long chain of relies is kind of funny,going on about salting and hashing, when if you read Riot’s response a certain way they’re simply saying “Your password is easy enough that while we’ve safeguarded it, it’s possible to be brute forced.”

        • Italianmoose says:

          All this talk of salt and hash is making me think of a full English breakfast. i.e. Hungry

          Does a full English even contain Hash Browns?!

          • elevown says:

            Nope. English people have NEVER eaten hash browns.

            That generalisation is broadly accurate.

    • LionsPhil says:

      On the subject of salt and brute-forcing, while trying to look up what Windows domain logins do these days, I got sidetracked by this amusing rant.

  14. Raziel_Alex says:

    Wish I could change my bday and my country in real life. Sadly, it’s still not possible.

  15. 8BitLager says:

    I wonder how many people are going to start screaming their Diablo 3 accounts were mysteriously hacked after this.

  16. DickSocrates says:

    Hackers should be shot. And people who use autotune. And litterers and noisy neighbours. In fact, let’s just shoot everyone. I’d go first but I don’t trust anyone would follow. People who don’t follow me should be shot.

    • LionsPhil says:

      Shooting is thinking too small-scale, because it requires too many individual actions. You need to engineer some kind of global-level extinction event.

      • marcusfell says:

        Zombies?

          • Jay says:

            Fatal flaw in this plan: Hackers would need to leave the house to be affected.

            Also zombies are notorious litterbugs.

          • EPICTHEFAIL says:

            Solution: use the Mass Effect zombie model. I sincerely doubt any hacker cave can withstand a few hours of scion bombardment. Also has a few other advantages.
            Failing that, just ask Karthus to spam ult.

  17. MythArcana says:

    None of my accounts get hacked ever. But then again, I only play single player games offline.

    HRMMMMMMMMMM….

  18. SkittleDiddler says:

    Couldn’t have happened to a nicer community.

  19. Dances to Podcasts says:

    On a related note, here’s a Diablo III farmer/hacker/whateverer live streaming his activities: http://www.youtube.com/watch?v=8NUQTATy5dc&feature=g-all-lsb

  20. zagor says:

    LoL personal info hacked:no big deal on RPS
    Diablo 3,not that many players reporting items stolen….. :FUCKIN BIGGEST STORY OF THE WEEK

    • elevown says:

      Actualy it was a damn lot of people. And they are gonna tie it to a real money auction house. And its one of the biggest game releases in years. And a hell of a lot of people are pissed about alot of things blizz did- like forcing online. And its had lots of problems… do they need any more reasons?

    • Moraven says:

      Actualy it was a damn lot of people. And they are gonna tie it to a real money auction house. And its one of the biggest game releases in years. And a hell of a lot of people are pissed about alot of things blizz did- like forcing online. And its had lots of problems… do they need any more reasons?

      A lot less then an entire database being compromised.

      RMAH and using your Battle.Net Balance will require the use of an authenticator. And like any game, lots have problems, lots do not. You have 6 Million+ players, more people will be affected and this day and age easier for the minority to have a bigger voice.

    • Milky1985 says:

      The diablo 3 thing happened a week after release, and people were losing items from there single player game because of it.

      This is a big story but is another hack in a rash of hack attacks (3rd in a 2 week period I think, guess theres another round of hacks going on :/)

      Both big stories, both talked about on RPS, there was more to say on the diablo 3 thing so they said more, don’t really see the problem.

      Unless your a blizz fanboy that is angry that someone said something nasty about your favorite game.

  21. Moraven says:

    I have a lv 3 accounts i think on EU, can not remember. Do not have a email. At least they are emailing people right away.

    I still to this day never received an e-mail from Valve. I saw the message (in place of ads) when you leave a game. Was only a few days after it happened, they did not seem to care to inform everyone well.l
    At least their stuff was more crypted then what you mostly see.

    • Milky1985 says:

      The valve thing was the forums not the main login,don’t think i got an email either way tho (and i defo have a forum account)

      Theoretically they told a lot more people than they needed to doign it via the game client :p

  22. Premium User Badge jrodman says:

    Remind me why it’s acceptable that they store more than your username and password hash in accessible servers?

    Date of birth? WTF?

  23. daggerbite says:

    Can’t even remember my password for this. Nevermind!