League of Legends player info taken in hack
European players of League of Legends are being notified of a recent hack that has compromised personal information.
Players of League of Legends are being notified of a recent hack that has compromised personal information. According to Riot Games, hackers have "gained access" to player data, including e-mail addresses, passwords, date of birth, and security questions and answers. The company is advising potentially affected players to change their passwords, as "more than half of the passwords were simple enough to be at risk of easy cracking."
Hackers gained access to certain EU West and EU Nordic & East databases, and all players on those platforms should have been contacted. (It seems North American players are unaffected.) Since the discovery of the breach, Riot has fixed the security issue and will "continue to invest in security measures."
"We've been humbled by this experience and know that nothing guarantees the security of Internet-connected systems such as League of Legends," a post on the game's forum (via Gamespot) states. "We can simply promise to try our very best to protect your data."
Although Riot promises that no payment or billing information has been affected by the breach, the company is advising everyone to change their password. In addition, if the same password is used on other sites, it should be changed as well. They also warn that hackers may send phishing emails to the addresses affected by the hack, "so please be extra vigilant about emails containing attachments or links."
-
Shacknews
replyAndrew Yoon posted a new article, League of Legends player info taken in hack.
European players of League of Legends are being notified of a recent hack that has compromised personal information.-
Could some security experts chime in on this one?
"nothing guarantees the security of Internet-connected systems"
Okay, let's accept the idea that there's perhaps no way to secure a database from getting accessed in the long run. But even with that assumption, aren't there encryption methods and other things like salting passwords that would make a database breach largely harmless?
The quote really sounds like them saying "it's not our fault; it's impossible to prevent" which I think is really weird of them to say.-
No authenticator
-
-
properly salted and hashed passwords should be uncrackable because you've actually lost data in the encryption process, doesn't really help with credit card info tho as you have to be able to retrieve it again it can't just be hashed
-
Salting passwords only protects them from rainbow tables. Brute-force and dictionary attacks on weak passwords will still work just fine, and since the cracking process is local to the hackers this becomes a viable option.
-
a large salt + slow hash can make brute forcing not viable for all but short passwords and dictionary words.
-
This is no longer as true in the era of gpu assisted password cracking tools, cloud cracking via botnets and the like. Yes a non dictionary word with full alphanumeric characters will take longer, but it is not the same impossibility that existed say 5 years ago. MD5 has basically been deprecated and anything less than sha-2 should be considered crackable.
-
-
-
-
All password algorithms are one-way encryption; the intent is that the application needs a hash table to determine if an entered password is the same, but that having the hash alone cannot allow someone to determine the plaintext value of the password. Rainbow tables are allowing those with access to the hash values to determine many (but not all) of the possible password values for hashing algorithms that are commonly used.
Here's a good article from after the Gawker hack: http://www.codinghorror.com/blog/2010/12/the-dirty-truth-about-web-passwords.html
Gawker was a very egregious case of a breach, because the hashing algorithm they were using, DES, was very ancient, and with access to the hash values, could be cracked in a very short time. DES was obsolete back in the late 1990's, but Gawker was using it in 2010. Right now, even MD5 and SHA1 are considered weak, and it's common knowledge that salting the hashes drastically decreases the probability of a cracked hash (though I don't know if it's required for various security compliance standards yet).
-
-
No doubt Riot encrypts their databases on several levels, especially considering that there are a massive number of financial exchanges happening every second (supposedly they have more active logins at any given time now than WoW, so I'm extrapolating a bit.) However, that doesn't mean the information isn't valuable.
The most effective known means of cracking modern encryption is to gather as much data as possible, look for patterns, and start guessing. If we assume that 50% of passwords are considered "weak", say less than 8 characters, all lowercase letters, whatever, there's a fair chance that there's a lot of duplication in there as well. So, if the crackers, with their massive amount of data to munge and understand, might be able to crack a single password, which could give them the key to cracking several more. You see where I'm going here, yeah?
And there's more to it than just cracking passwords and getting financial data that way. As was stated in the article, email lists, personal information, and more has been acquired, leaving those whose data has been compromised potentially vulnerable on a number of levels. Say I have an email address and a PayPal account that's linked to it. I may not have to crack their password at all; it would be far easier to send an email saying I need to verify the financial information on file and could the recipient please click on this link... A lot of these players are kids, too, so they won't be as wary as perhaps they should be, which creates a whole new set of problems for Riot and their players.
I don't think Riot's trying to say they aren't culpable, but the fact remains that holes exist in any system, and the likelihood of those holes being discovered by the "good guys" is very slim, especially if they're going head-to-head with a very motivated group of crackers. This one breach could result in a year's salary for everyone involved in the break in, even if only 1% of the stolen information is at all useful.
Perhaps Riot could have been a bit more on the ball, sure, but they aren't hiding this from their players, and that does count for something. -
Just typical PR. You cannot guarantee security, but you can do your best to keep everything patched, your passwords salted and hashed (with the latest greatest hashing algorithm) You can also hash the hash over and over like 100 times + to make it even more difficult to brute force the passwords.
-
My point is this is not typical PR; it's pretty uncommon to say "yeah your shit got stolen but let's be honest there's no way to stop it so let's just move on"
-
-
While that is a technically correct statement, (who would "guarantee security" in the era of disclaiming all responsibility?) but its only purpose is to say "well, everyone gets hacked now and then, you can't really blame us". I feel pretty safe in guessing that there were some terrible security practices in place that allowed this to happen. Statistics are on my side.
-
-
dumb people.... simple passwords... you kinda deserve to be hacked with that
-
-
I'd love to, but between achievements, and the desire of developers to hold users accountable for their actions, there's no turning back. I wish MP FPS games could go back to the anonymous user-hosted user-moderated system, but now, everything's using Steam, Origin, GFWL, or a proprietary login system.
I think a good medium is to have authentication handled by a third party who knows how to properly secure an environment, but even Steam got hacked last year. Leaving the burden of security on the user results in users either having to generate and store a ton of random unique long passphrases for every site, or to do something less secure, and have to deal with the consequences when those sites get hacked, and others get correlation-attacked.
It feels like it's approaching a "grey goo" equivalent scenario, in terms of online security, and I think that entire models need to be re-evaluated. Why do sites need more info than just an email address? More social sites should ask themselves that question, and get off their "real name" high horse, as it's a liability to users.
-
-
