Hackers have stolen account data from the European servers of popular real-time strategy game League of Legends (LoL), the game’s developer, Riot Games, announced on Saturday.
According to figures published by Riot in November 2011, there are over 32 million registered accounts on the three LoL servers: North America, EU West (EUW) and EU Nordic & East (EUNE).
“Hackers gained access to certain personal player data contained in certain EU West and EU Nordic & East databases,” Riot Games founders Marc Merrill and Brandon Beck wrote in a blog post on Saturday.
The compromised account data included email addresses, encrypted passwords, player names and dates of birth. No payment or billing information was exposed as a result of this security breach, Merrill and Beck said.
For a small number of players, their first and last names, as well as their encrypted security questions and answers, were also compromised. However, security questions and answers are no longer used in LoL’s account recovery process, the Riot co-founders said.
Not all EUW and EUNE accounts were affected, but the company decided to notify all players using those servers via email as a precaution.
Riot did not specify when or how the breach occurred, citing an ongoing investigation performed by outside security experts and law enforcement authorities. However, its notification was otherwise frank and helpful, said Paul Ducklin, the head of technology for the Asia Pacific region at antivirus vendor Sophos.
Unlike other companies that suffered data breaches in the past, Riot published a short analysis of the compromised passwords. “Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking,” Merrill and Beck said.
Furthermore, a double-digit percentage of individuals used the same password as other users and 11 particular passwords were shared by over 10,000 players each, the Riot co-founders said.
“What this almost certainly means is that the security investigators set about cracking the password database themselves — with suitable authorisation, of course — as a way of judging what sort of advice to give,” Ducklin said. “If they could quickly recover half the passwords, so could a hacker.”
Affected users were advised to change their passwords on the LoL website, as well as on any other website where they might have used them. Passwords should be unique for every important account, they should consist of 8 or more characters and should be a mix of letters, numbers, and special characters, Merrill and Beck said.
Users were also warned to be on the lookout for possible phishing emails claiming to originate from Riot and seeking more information. Such emails are a common occurrence following data breach incidents.
The League of Legends data breach notification follows similar announcements from LinkedIn, eHarmony and Last.fm, which alerted their users last week that their account passwords might have been compromised.
It is very important for users to limit the impact of such security breaches by using unique passwords for every online account. There are free password management applications that simplify the task of working with multiple passwords.