
League of Legends compromised – North American accounts and transactions - CrazedGeek
http://beta.na.leagueoflegends.com/en/news/riot-games/announcements/important-security-update-and-password-reset
======
josh2600
Sigh.

My office plays League of Legends regularly. It's quite a fun game. This,
however, isn't fun at all.

Is it just a fact of doing business in the modern internet age that everyone
can and will eventually be pwned?

The best part of this is that it's obviously some legacy system that wasn't
properly decommissioned. Think about it, the records haven't been in use for
2+ years? Sounds weird, right?

Remember, if it's on the network somebody can get to it and just because you
don't use it anymore doesn't mean you can just stop patching the boxen :(.

~~~
criley2
I do assume that almost all online services will be pwned. I have a small
amount of faith that my Google account, Amazon account, and (major) bank
account won't be compromised except by my government. Maybe a few other
services are this trustworthy to me, but not many, and I can't think of them
off the top of my head.

We just need to get used to using throw away credit card numbers from our
credit card's website. Or buy game currency/points/time in stores, in the form
of cards, to prevent giving out the info that will be pwned sooner or later,
on one service or another.

And get used to using throwaway passwords. If your password being compromised
on one service makes you worry about other services, you've already done it
wrong.

I assume my passwords will be stolen. I even have a generic password I use for
many sites that I do not and will never trust.

It could be stolen -- and hell probably has, knowing how many services have
been pwned, and how many don't even realize it. But it won't give you anything
close to access to any email, bank, or merchant website connected to my debit
card, as they're all using unique passwords and 2-factor auth where available.

Startup Idea: Debit/Credit card services that provide not "throwaway" numbers,
but separate numbers/info for every major subscription or service you use.
Generate an Amazon number, an Xbox live number, a number for your cellphone
payment. If any one number is compromised, it can be disabled and handled
without any interruption or issue to other numbers and services.

In the age of constant pwning, a debit card that isolated the damage to that
one service without any hassle or disruption to any other service would be
brilliant. I know I'd pay for that. In fact, how easy would fraud monitoring
be when the only charges to a specific number would be allowed from that 1
service. It makes the numbers useless outside of that 1 service you're using
it for, even when stolen.

~~~
dtparr
That's actually how the Discover Card Secure Online number work, although
apparently some merchants can't use them. From their FAQ,
[https://www.discover.com/credit-cards/help-
center/faqs/soan....](https://www.discover.com/credit-cards/help-
center/faqs/soan.html#q1) :

 _Secure online account numbers is a free online service offering you added
security by protecting your account number while shopping online. When you
make a purchase with a merchant using a secure online account number, the
number is assigned only to that particular merchant. Once a secure online
account number is assigned, the merchant can use it for your future purchases
with them unless you specify otherwise. Some merchants, such as Facebook,
Amazon, and PayPal, will not be able to use the same secure online account
number multiple times. When shopping with those merchants, you will need to
use a new secure online account number each time._

~~~
jared314
Just make sure you keep track of the number you used, or be able to find it in
your statements, because some customer validation systems require parts of the
CC number. I've had to stall customer service reps several times because I had
forgotten.

------
Oculus
Riot should be a case study on how to handle leaks. Immediately releasing all
that they know and forcing password resets. Good on them!

~~~
Pengwin
This has happened numerous times this year. The same response to me both these
times.

Crytek: [http://www.eurogamer.net/articles/2013-08-05-crytek-pulls-
we...](http://www.eurogamer.net/articles/2013-08-05-crytek-pulls-websites-
after-suspicious-activity-detected)

Ubisoft: [http://forums.ubi.com/showthread.php/779040-Security-
update-...](http://forums.ubi.com/showthread.php/779040-Security-update-
regarding-your-Ubisoft-account-please-create-a-new-password)

And even the PSN outage in 2011.

I for one am sick and tired of these account breaches. Not only do account
details get disclosed, but I am forced to create these accounts to access
games which I play. I have a perfectly accessible steam account with an
authentication API available that only a handful of games decide to not use.

If you want me to have another account, fine. But promise these two things: 1
- It is worth my time and effort to create the account (I think League of
Legends is fine here,they have a large ecosystem, however my two examples
above are not.) 2 - You take care of my details. (Which they have all failed.)

------
antiglacier
What types of attacks are commonly used to compromise information like this?

Is this simply a lack of SQL injection protection or is it the result of an
attacker gaining access to the web/database servers?

~~~
ihsw
Some variety of exploits probably lead to this, for example communication to
their internal servers from their public servers may not have been isolated
well enough from the outside world (providing a proverbial window into their
internal system of services, databases, and APIs).

I'd imagine that Riot Games operates a plethora of servers with one, central,
very large database containing all customer billing information.

Large-scale attacks are usually coordinated with a collection of exploits, for
example SQL injection can provide a means to utilize XSS for exploiting
administrative interfaces leading to session hijacking. This can be useful for
reconnaissance and analysis.

------
bdz
Not really related but just read a few days ago:

In the Activision/Blizzard buyback from Vivendi one of the investors was
Tencent, owner of Riot. Meanwhile Blizzard is also developing a Dota-clone,
Blizzard All-Stars.

Unfortunately I can't add anything more but I found that interesting.

------
polemic
> _" approximately 120,000 transaction records from 2011 that contained hashed
> and salted credit card numbers have been accessed"_

Why oh why would you store the number. Utterly unnecessary for recurring
billing.

~~~
Ardren
The only thing that comes to mind is fraud prevention? But that only works if
it's a global salt, rather than a per user/card salt.

~~~
polemic
I don't buy it. You're exposing your users to massive risk in order to detect
fraud on a product that effectively costs $0 for you to provide. I _might_
understand it for a retailer that gets chargebacks for physical items shipped,
but that doesn't make sense here.

------
gosukiwi
I just pray they dont use sha1 salted passwords or I'm pretty f*cked...

