Players of the popular Multiplayer Online Battle Arena (MOBA) game League of Legends will need to change their passwords at some point in the next 24 hours, advises developer Riot Games. The company says that the account information for their North American servers was compromised:
What we know: usernames, email addresses, salted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft.
Riot Games is investigating the possibility that 120,000 transaction records from 2011 - long predating the Mac version's release - had been accessed. Those records include hashed and salted credit card numbers. Riot was careful to note that the system hadn't been used since July 2011; players associated with these accounts, specifically, will be alerted via e-mail.
The developers said they're working on two new security features now: email verification and optional two-factor authentication.