Passwords pillaged from League of Legends wand-strokers
Euro gamers' very private jewels sniffed by hackers
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Passwords, email addresses, dates of birth and other sensitive data have been plundered from the player databases of fantasy strategy game League of Legends.
Publisher Riot Games sent emails to its online role-players in West, Nordic and East Europe, and posted on its website, to warn that hackers had raided their account information.
Players’ data including email addresses, passwords, summoner names, dates of birth and, in some cases, real names and security Q&A, was stolen but financial info was safe, Riot said.
“Absolutely no payment or billing information of any kind was included in the breach,” the company promised, although it did admit that the security on the data that was stolen wasn’t that hot.
“Even though we store passwords in encrypted form only, our security investigation determined that more than half of the passwords were simple enough to be at risk of easy cracking,” Riot stated.
The gaming firm said it had now patched up the hole the hackers had exploited, and that they would use new techniques to secure data in future.
“We'll continue to invest in security measures, including password hashing and data encryption, state-of-the-art firewalls, SSL, security ninjas, and other security measures to make your info safer,” the games firm stated. “We've been humbled by this experience and know that nothing guarantees the security of internet-connected systems such as League of Legends. We can simply promise to try our very best to protect your data.”
Riot advised players to change their password immediately and watch out for phishes.
In November the company claimed it had 11.5 million active monthly users for warrior'n'wizards multiplayer League of Legends, with more than 30 million gamers registered in total. ®
COMMENTS
Re: Hash 'n' Bash
A rainbow table will still give you the password (or a selection depending if its on a collision. Either way, if people have stupid passwords they are likely to be compromised even if they were just hashes.
While you can equally use a rainbow table (or any other method, for that matter) equally well on hashes as well as encrypted passwords, both cases require access to the cyphertext or hashes. If you work out a single password from a hash, you have compromised a single password. if you work it out from cyphertext then you have got the lot (even the more secure ones). In other words if you store encrypted passwords rather than hash values then it doesn't matter if some passwords are complex, a single weak password will compromise them all.
Re: Hash 'n' Bash
Hmmmm
Maybe he has been told they were hashed, and not "we only store the hashes" because.... most of the media won't know the difference anyway.
A rainbow table will still give you the password (or a selection depending if its on a collision. Either way, if people have stupid passwords they are likely to be compromised even if they were just hashes.
Re: "sent emails to its online role-players in West, Nordic and East Europe"
Well, the gods are in Asgard, and I don't think they have too much to worry about.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
