Published in Editorials

League of Legends Breach Shows Both How Not To and How To Approach Security

by on10 June 2012 2653 times

LeagueBreachThe game League of Legends has had some of their European and Nordic Database servers hacked; I know shocking right? According to the announcement by Riot the attackers exploited a specific security issue (again really?) that is now addressed and is no longer an issue. The attackers were able to get user login information, including passwords (encrypted), email addresses, “summoner name”, date of birth, and a small number of encrypted security questions and their answers.

Now if all of this sounds familiar it should. This is the latest breach of a cloud based service where user account information has been stolen with apparent ease. The fact that the attack vector was quickly fixed makes us wonder if it was not something that should have been prevented in the first place. Now we do appreciate Riot’s almost immediate response to this and their quick response to the issue (with a fix), but there is something in the announcement that bothers us quite a bit.

“Our investigation into this issue is ongoing – we've hired experts and are working with the relevant authorities to more thoroughly understand causes, culprits, and preventative measures to make future breaches less likely.”

This one statement makes it seem like they do not maintain a security staff, or at least one that is properly trained to deal with these issues and to provide the sort of proactive security that SHOULD be in place on any service that contains your personal information. It was probably sheer luck that the attackers did not get into the billing databases.

On the other hand Riot has learned from this and, if they can be believed, is going to do the right thing moving forward. They state quite plainly; “We'll continue to invest in security measures, including password hashing and data encryption, state-of-the-art firewalls, SSL, security ninjas, and other security measures to make your info safer. We've been humbled by this experience and know that nothing guarantees the security of Internet-connected systems such as League of Legends. We can simply promise to try our very best to protect your data.”

This is honestly the first time I have seen a company openly admit that they made a mistake and are truly sorry for it happening. Maybe other companies can take the lead from this and begin to invest in what it really takes to make sure these services are as secure as they can be. Remember, there is no such thing as a 100% secure system, but you can improve your response and make it much harder for attackers to get into your systems. It is not cheap, but then again nothing worthwhile is. Perhaps that is the biggest lesson from the Cloud… “you get what you pay for” this annoyingly true statement goes for both sides.

Although the League of Legends breach is a very bad thing and Riot is fully to blame for not taking security more seriously before the event, it does look like they are moving in the right direction. Now if only other companies will do the same thing now and not wait until after a breach that affects end-users we might start to have a little bit of faith in the cloud.

Read the full announcement from Riot
Discuss this in our Forum

Last modified on 10 June 2012
Rate this item
(0 votes)

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.