Keeping player information secure is very important to Riot. That's why we're sorry to share that hackers accessed some player account information.
Scope
After thorough and urgent investigation with help from independent security experts, we have determined:
Hackers gained access to certain personal player data contained in certain EU West and EU Nordic & East databases ; as a security precaution, we're emailing all players on these platforms
The most critical data accessed included email address, encrypted account password, summoner name, date of birth, and – for a small number of players – first and last name and encrypted security question and answer. (Note: Security question and answer are no longer used in our account recovery process.)
Absolutely no payment or billing information of any kind was included in the breach
Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking.
Our actions:
We've fixed the specific security issue that hackers exploited.
Over the next 24 hours, we'll be notifying all EUW and EUNE players via email; although only a portion of players might have been affected, we consider broader notification a good security precaution.
We'll be updating this post with the latest on this situation and will monitor comments here for questions that require further clarification.
Our investigation into this issue is ongoing – we've hired experts and are working with the relevant authorities to more thoroughly understand causes, culprits, and preventative measures to make future breaches less likely.
We've redirected teams to quickly implement new security measures that will help improve the safety of your data.
We'll continue to invest in security measures, including password hashing and data encryption, state-of-the-art firewalls, SSL, security ninjas, and other security measures to make your info safer. We've been humbled by this experience and know that nothing guarantees the security of Internet-connected systems such as League of Legends. We can simply promise to try our very best to protect your data.
Please change your passwords
Please immediately change your account password by visiting the account management page at
https://euw.leagueoflegends.com/account, then clicking "change password." If you use the same password for accounts on other services, you should change those passwords as well.
Please use a good password. We compared encrypted password hashes and discovered that 11 passwords were shared by over 10,000 players each. A double-digit percentage of individuals had the same password as at least one other person. We encourage you to:
-Keep it unique -- use a different password for each important account
-Make it long -- at least 8 characters
-Mix it up -- use letters, numbers, and special characters
Hackers often send phishing emails to addresses that are captured in data thefts, so please be extra vigilant about emails containing attachments or links.
We're sorry
Brandon and I want to sincerely and personally apologize to you for this situation. We take your privacy and security seriously, and we're working diligently to improve it for the better.
Thank you,
Marc Merrill
Brandon Beck
