And This Week’s Hacking Victim Is… League Of Legends

OK everyone, ready? Now breathe deep – fill your lungs with the thick, muggy air of anger surrounding your person – and siiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiigh. Another week, another popular game got hacked. This time, it’s MOBA-kinda’s favorite largely benevolent emperor, League of Legends. You know the drill: change your various passwords and pay very close attention to your credit cards. The latter goes double here, because Riot’s confirmed that the hackers managed to make off with some old, thankfully encrypted credit card info. Better safe than sorry.

Riot made the announcement on its website, urging caution among North American players despite measures it previously took in order to safeguard against this kind of situation:

“What we know: usernames, email addresses,┬ásalted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft.”

“Additionally, we are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed. The payment system involved with these records hasn’t been used since July of 2011, and this type of payment card information hasn’t been collected in any Riot systems since then. We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them. Our investigation is ongoing and we will take all necessary steps to protect players.”

Salted password hashes sound delicious. I really felt compelled to point that out. You may now go back to PAAAAAAAAAANICKING and/or calmly throwing refrigerator magnets in a blender to come up with a new password.

You can change your password here, if you haven’t already. Meanwhile, Riot is also adding additional layers of security in the form of email verification for any account changes made and a two-factor authentication system that’ll seek verification from either email or text message.

For now, I suppose that’s that. Best of luck to all whose info got nabbed. Dear hackers, you are jerks. Stop putting your wormy little hands all over people’s stuff. Take up crocheting or something. And get your worm hands looked at. That is probably a very serious medical condition.


  1. Koojav says:

    I suppose they can’t deny the hacking incident.

    • Gnoupi says:

      Note that this is a different server. Last time NA didn’t get hacked, it was Europe. This time its the other way around.

  2. ix says:

    Only North American players or world-wide? Why haven’t they emailed their players about this?

  3. Frosty840 says:

    That link you’ve supplied to change account passwords, in the story.
    The next time one of these stories comes up, I’d like the link you supply to be a not-very-carefully-disguised fake login page, hosted on the RPS servers which simply counts when people attempt to log into their potentially-compromised accounts through your fake login page, and tells them that they’re idiots.

    Would be interesting to know the number of people that blindly click on such a link, though RPS is, itself, probably too well-respected an outlet for it to be a particularly valid test, of course people are going to trust your links.

    What you’d really want is to also check the same stats for a blog from the seedy underbelly of the internet, but who’s going to volunteer to be that blog?

    Anyway, rambling. Best get back to work.

    • ZeDestructor says:

      If you only want the count, its fairly trivial to do using some referral trackbacks and/or JavaScript, or a simple URL shortener… Of course, that leaves the can of worms about privacy issues open….

      • Frosty840 says:

        Nah, I mean put up a proper page on the RPS servers that pretends to be a login page for whoever is hacked next, link to it from the story, allow users to input their login info and his OK, don’t collect that info (quite important) but instead show them another page saying “don’t just blindly trust links like that on the internet, you sillies” and increment a counter by 1, somewhere on the RPS servers.

        Would just be nice to know how many people just blindly trust stuff on the internet, without thinking.

  4. Tei says:

    Sadly, salted hashed passwords has been all but broken by now. The best salting system seems inferior your average encrypted password system.

    Theres a reason everyone should be using unique passwords by site. I am tryiing that, but is complicated. Maybe I should move to one of these systems with a vault that store a lot of passwords. I can’t remember 300 different accounts :P

    The credit card thing could be must worse, perhaps. I don’t know much about credit cards systems. Perhaps since is a number, they have more entropy? wait no… credit cards numbers are supposed to follow a predefined pattern, thats how you detect if a number is a VISA one. Dawn, shit, fuck.

    • DuncanIdah0 says:

      Using a password manager is almost a must nowadays. I have been using one of them (Keepass) for several months and I now couldn’t do without it.

      Keepass is free (is open software) and available for all platforms, so combine Keepass and Dropbox and you can have your encrypted password database in all your devices synchronized.

      • kael13 says:

        KeePass is great, but for whatever reason I can’t get it to work on my Mac.

      • Gnoupi says:

        Yes, this. After the wave of hacked servers during this year, I switched to Keepass.
        Who cares about hacked accounts when you have all your passwords randomly generated with an entropy > 128 bits. You just update with a new generated password, and carry on.

      • Panda Powered says:

        I keep all accounts in an old unused notebook from school. I just indexed all the pages alphabetically and write down my randomized (8+ digits, letters and symbols) passwords there. It works pretty good as I usually only have to manually input them in the browser one time after a fresh install and only when I need a particular pass.
        If anyone tries to steal my password “database” I at least have a chance of punching them in the nose.

    • Boris the Impregnable says:

      What? No. Salting is still as secure as the hash algorithm used, if they managed not to cock the salting up, which honestly isn’t hard.

      • Tei says:

        I am not a expert. But the last good read I had about the topic, made it look like hashes are cryptographically weak. And theres good software that can exploit graphics cards to do brute force attacks very fast. Anyway the current advice seems that unique salts (each user gets is own salt) with unique identifiers (the identifier is unique to the site, so is not a username that can be reused in a different site) is “good enough”.

        link to

        A way to read this is: whatever you use to hash passwords, it must be very slow to hash to be safe against brute force attacks.

        • Stormvloed says:

          I think you’re a bit confused about the what a salt, a hash and an ‘encrypted password system’ is.
          A salt has already been explained by colinmarc, so I’ll just mention that the secure cryptographical methods still use hashes underneath. PBKDF2 for example can use something like SHA256, one of the fast hashing algorithms, underneath. What comes out is then, again, a salted hash, only now it takes much longer to hash as PBKDF2 is made to be slow, unlike SHA256, which is made to be fast.

          What the author you link to is not a warning against hashing, he’s saying we need to use appropriate hashing methods for the task.

        • Faxmachinen says:

          Those kind of articles are useless FUD. Hashing is not broken, salting is not broken. Clueless implementations thereof may be. The thing that is the most broken is people’s understanding of cryptography.

      • colinmarc says:

        Salting effectively means that you have to brute force the hash, rather than using a precomputed table. Then the cost to brute force is (the number of times you have to guess) * (the strength of the hash) . So if you have to guess less, that matters.

  5. KikiJiki says:

    EZ Rares

  6. bstard says:

    lol grz lol

  7. Beernut says:

    Since credit card numbers consist of a standardized lengths and known aphabet (0-9), those hashes will be incredibly easy to bruteforce compared to passwords of unknown length and composition.

    • colinmarc says:

      Yeah, salting credit cards is a joke. Hashing is as effective as the hash, multiplied by the number of times you have to guess, so it is weakened if you can guess cleverly.

      1) credit cards are all the same length (16) and are all digits

      2) the first 4-6 digits of a credit card number are the BIN, and are defined by bank. There are some BINs that are (for obvious reasons) much more popular, so you can guess at least the first two digits pretty reliably (and the next four from a limited set): link to

      3) the last 4 are usually stored in plaintext next to the hashed numbers, so that the user can pick them from a dropdown list. That might not be the case here.

      4) If you do have the last digit, then you can limit the card numbers you try to ones that match a checksum called the luhn check, which would reduce the total number of tries by a lot: link to

      In this case, you might have to guess 8 or 10 digits, but only the ones which match the luhn check – you can do this many, many, many times a second. People, don’t store credit cards on your servers! There are providers that do this (I work for one) and they are much better at it.

    • iob says:

      Huh? please elaborate, if they are salted it should still be pretty hard to do it for each and everyone, no?

      Also, I am kinda confused how you can ever get from a hash to the credit card number without knowing the exact algorithm.

      You can get a key that procuces the same hash, but how do you know that the bank uses the same check?

      • frenchy2k1 says:

        If the site was hacked, expect the hacker to also have the hash mechanism. If they can get to the salted hashes, they can usually get even more easily to the code creating them. Most hackers also claim to be able to recognize the hashes, as most are done by the same back end mechanisms (only a handful of crypto routines are commonly used).

        So, the possible cracking of the hashes to recover the original, if salted correctly, becomes directly linked to the hash mechanism and the speed of brute forcing it. As said, credit card numbers have a very low entropy based on the rules used to create them (0-9 only, 6 first digits for bank ID, checksum and rules for the other numbers).

        A good view of how crackers try to get passwords was given here. Quite enlightening about they go to reverse a full password set and what rules or dictionary they use:
        link to

    • Faxmachinen says:

      It’s worth nothing that a credit card number with no additional information (such as name, expiry date and security code) is rather useless information. It’s likely easy to trace it to an account name in this case though.

  8. AngoraFish says:

    No doubt a coincidence relating to some previous hacking incident, but interesting that I had to cancel my credit card last Thursday after the number started being used for transactions in foreign countries without any intervention on my part.

    • Panda Powered says:

      I had to cancel my old card last year. Probably due to the The Summer of Lulz. Someone used it to buy stuff from Itunes Netherlands for several days before I noticed.
      I don’t have an Itunes account and the only place I used my card was on PSN and some local stores. I use paypal everywhere else so it was pretty suspect.

      Luckily the banks are very quick with cleaning up after a credit card theft even though its pretty common since they don’t want people to stop trusting them.
      They replaced all the lost money and issued a new card at no expense after I filled in a pretty straightforward form.

      • AngoraFish says:

        My bank called me within 45 minutes of the first suspect transaction. After confirming that the transactions weren’t authorised by me the bank had cancelled my card and organised a new one within an hour and a half. The suspect transactions never even appeared on my statement.

  9. Hahaha says:

    “two-factor authentication” hahahahaha