[BreachExchange] Hackers breach ‘League of Legends,’ access 120,000 credit card numbers
Destry Winant
destry at riskbasedsecurity.com
Wed Mar 4 10:34:51 EST 2020
https://www.dailydot.com/parsec/hackers-league-legends-credit-cards-passwords/
The developer behind League of Legends, the most popular video game on
the planet, announced yesterday that about 120,000 player credit card
numbers may have been stolen as just part of an unprecedented hack of
its servers.
Riot Games detailed the full extent of the attack in a blog post:
What we know: usernames, email addresses, salted password hashes, and
some first and last names were accessed. This means that the password
files are unreadable, but players with easily guessable passwords are
vulnerable to account theft.
The developer expressed hope that the impact of that last number would
be limited, as they have not collected “this type of payment card
information” in their systems since 2011.
Passwords are vulnerable, despite being salted—meaning they’re
attached to random strings of data that make it more difficult for
hackers to run their usual tricks when trying to decrypt them.
“The password files are unreadable,” Riot Games explained, “but
players with easily guessable passwords are vulnerable to account
theft.”
For a serious gamer, this can be as bad as hearing that your financial
info was swiped, and potentially more devastating on the emotional
level. Not every hacker is after money, after all: last October,
someone unleashed a bug in World of Warcraft that killed off thousands
of characters.
So what exploit did the League of Legends gatecrashers have in mind?
An actual heist, or malicious mischief? Either way, Riot Games is
taking steps to beef up security, including the implementation of
two-factor authentication. But over at CNET, commenters are
unimpressed.
“Implementing 2-factor after the fact will be a disaster,” wrote
vorthex_. “Bad guy will crack the passwords, log in, change the email
address and activate 2-factor on accounts who didn’t change their
password, put in the number of a throw away phone, thus locking out
the original owner for good.”
“Do all of these extra security measures even matter when the hackers
are using modern day database extraction tools to get our data,” asked
blazer412.
The hackers at large could probably answer that question, but don’t
expect them to. They’re busy working on the next big thing.
More information about the BreachExchange
mailing list