Security Update Discussion

First Riot Post
Comment below rating threshold, click here to show it.

Jiggybuns

Senior Member

08-20-2013

This is seriously all you're saying on the matter?


Seriously?


Comment below rating threshold, click here to show it.

Kijitow

Senior Member

08-20-2013

Quote:
Originally Posted by Cdore View Post
I have this funny feeling Riot is leaving out some information.
Riot would NEVER do such a thing. They are 100% truthful with us and share everything they know.

lol


Comment below rating threshold, click here to show it.

Chager

Producer

08-20-2013
4 of 13 Riot Posts

Quote:
Originally Posted by jmspIat View Post
can you confirm that the reds that posted in this (now deleted) thread had their accounts compromised?

http://www.reignofgaming.net/redtrac...blic-must-read

there is an overwhelming amount of (albeit, circumstantial) evidence that suggests so.
@jmsplat - That's correct. This was our only legit post on the subject prior to today's announcement:

http://forums.na.leagueoflegends.com....php?t=3774594


Comment below rating threshold, click here to show it.

FrozenXylaphone

This user has referred a friend to League of Legends, click for more information

Senior Member

08-20-2013

Quote:
Originally Posted by Chager View Post
@jmsplat - That's correct. This was our only legit post on the subject prior to today's announcement:

http://forums.na.leagueoflegends.com....php?t=3774594
dun dun dunnnn


Comment below rating threshold, click here to show it.

Uproar

This user has referred a friend to League of Legends, click for more information

Senior Member

08-20-2013

I change my password yesterday so I think I dont need to change again


Comment below rating threshold, click here to show it.

Lv1 Facecheck GG

This user has referred a friend to League of Legends, click for more information

Senior Member

08-20-2013

Quote:
Originally Posted by Chager View Post
@FrozenXylaphone - because the folks that crafted the message know best I'm going to quote this directly from the news post

"What we know: usernames, email addresses, salted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft."
So having just updated my account, I noticed there was no form of external verification in place; it only required you to log in, enter the old password and a new one. If people were under security risk before (due to password strength or whatever), what is to keep the people who illicitly accessed their information from just going in and changing the account password? Having dealt a lot with both internal and external network security personally, this seems like a glaring oversight that could lead to legitimate accounts getting "locked out" by people using cracked data and causing needless user headache. I'm sure that the specific incident will be limited in scope, but it is possible, and I would have expected that kind of thing to be one of the very first things addressed. (i.e. if they already have your username and password, nothing is stopping them from resetting your password)


Comment below rating threshold, click here to show it.

Chaosneobreakage

Senior Member

08-20-2013

I didn't get a notification for changing my password. Is my password fine if I didn't get one? Do I still need to change it?


Comment below rating threshold, click here to show it.

GrooveRave

Junior Member

08-20-2013

I have a question regarding the Two-factor authentication security measures you guys are developing. It says on the release that it's to be applied during changes to email and password, but will it be in place for log ins as well?

I personally want the authentication to take place prior to them accessing my account instead of when they want to change my email or password.


Comment below rating threshold, click here to show it.

FrozenXylaphone

This user has referred a friend to League of Legends, click for more information

Senior Member

08-20-2013

Chager

If we deleted our credit card from our account after transactions, would they still be compromised?

When I use mine, I delete it from account after I get my receipt and transaction id.


Comment below rating threshold, click here to show it.

UODK

Senior Member

08-20-2013

Quote:
Originally Posted by Chager View Post
@jmsplat - That's correct. This was our only legit post on the subject prior to today's announcement:

http://forums.na.leagueoflegends.com....php?t=3774594
Something I have seen before that seems legit to use as authentication is that the game logs your last login IP. If you try to login from a different IP your account is locked and an email is sent to the email associated with the account with an "unlock" code. Once you put the unlock code in the in-game prompt your account is immediately usable again.

It will do this each time you log in from a different location. Logging in from only 1 location will no lock the account temporarily. Logging in from a new one will.. this way if someone gets your password, they must have access to your email address too.

The same is true of "changing the email address associated with the account through the website." When you try to change it.. it send a verification code to the email address so the hacker must not only have your LOL username/password to login to your accounts but also have access to your personal email address.