League of Legends compromised – North American accounts and transactions

Sigh.<p>My office plays League of Legends regularly. It&#x27;s quite a fun game. This, however, isn&#x27;t fun at all.<p>Is it just a fact of doing business in the modern internet age that everyone can and will eventually be pwned?<p>The best part of this is that it&#x27;s obviously some legacy system that wasn&#x27;t properly decommissioned. Think about it, the records haven&#x27;t been in use for 2+ years? Sounds weird, right?<p>Remember, if it&#x27;s on the network somebody can get to it and just because you don&#x27;t use it anymore doesn&#x27;t mean you can just stop patching the boxen :(.

Riot should be a case study on how to handle leaks. Immediately releasing all that they know and forcing password resets. Good on them!

What types of attacks are commonly used to compromise information like this?<p>Is this simply a lack of SQL injection protection or is it the result of an attacker gaining access to the web&#x2F;database servers?

Not really related but just read a few days ago:<p>In the Activision&#x2F;Blizzard buyback from Vivendi one of the investors was Tencent, owner of Riot. Meanwhile Blizzard is also developing a Dota-clone, Blizzard All-Stars.<p>Unfortunately I can&#x27;t add anything more but I found that interesting.

&gt; <i>&quot;approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed&quot;</i><p>Why oh why would you store the number. Utterly unnecessary for recurring billing.

I just pray they dont use sha1 salted passwords or I&#x27;m pretty f*cked...