American players of the highly popular League of Legends game have fallen victim to a security breach, the company behind the game has confirmed.
Riot Games did not reveal the exact number of accounts affected, but given that the game is one of the most-played in the world, with 32m active monthly gamers worldwide, the numbers are speculated to be in the millions.
The company told gamers: "The security of your information is critically important to us, so we're really sorry to share that a portion of our North American account information was recently compromised.
"What we know: user names, email addresses, salted password hashes, and some first and last names were accessed. This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft."
As a preventative effort, Riot Games is forcing a continent-wide password refresh.
"As a measure to make your accounts safer, within the next 24 hours we'll require players with accounts in North America to change their passwords to stronger ones that are much harder to guess," the company said.
"At such time, you'll be automatically prompted to change your password when you attempt to log in to the game."
On top of that, Riot Games also confessed that about 120,000 transaction records from 2011 containing hashed and salted credit card numbers have been accessed.
"The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then," the notice explained.
"We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them. Our investigation is ongoing and we will take all necessary steps to protect players."
In response to the hacking incidents, the company is developing a raft of new security features.
Email verification will mean that all new registrations and account changes will need to be associated with a valid email address.
The company will also require that all existing players provide a valid email address. It is also working on two-factor authentication so that changes to account email or password information will require verification via email or mobile SMS.
"We're sincerely sorry about this situation," the company said. "We apologize for the inconvenience and will continue to focus on account security going forward."
Established in 1957, BCS, The Chartered Institute for IT, promotes wider social and economic progress through the advancement of information...