Although the information obtained by the hackers was encrypted, Riot Games has confirmed that a recent League of Legends security breach got as far as credit card details.
North American account holders were affected, with the hackers gaining access to usernames, email addresses, salted password hashes, and some first and last names.
“Additionally, we are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed,” Riot wrote in an announcement post.
“The payment system involved with these records hasn’t been used since July of 2011, and this type of payment card information hasn’t been collected in any Riot systems since then. We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them. Our investigation is ongoing and we will take all necessary steps to protect players.”
Although encryption means most users will be fine, if you have an easily guessed password you are definitely at risk. In any case, all players should change their passwords immediately.
Riot is now in the process of introducing email verification for new registrations and account changes, and two-factor authentication via email or SMS.