Riot Games is requiring League of Legends players to update their passwords after a breach “compromised” usernames, email addresses, salted password hashes, and some names.
There’s a chance that some credit card information was also accessed.
“Password files are unreadable, but players with easily guessable passwords are vulnerable to account theft,” Riot Games said in a blog post.
The attack affected users in North America, the company said.
Approximately 120,000 transaction records were also accessed, which contained hashed and salted credit card numbers. The payment system in question has not been in use since 2011 and Riot has not collected this type of information for more than two years.
The company is contacting affected users via the email address they have on file, though players can also reach out directly. “Our investigation is ongoing and we will take all necessary steps to protect players,” the firm said.
In the meantime, Riot has imposed a mandatory password reset. Players will be automatically prompted to reset their passwords when they sign in, or they can do so manually.
To secure its systems, Riot is putting in place two new security measures: email verification, which will require new and existing players to provide a valid email; and two-factor authentication, which will require email or SMS verification for changes to account email or password.