Boards[ARCHIVED] Miscellaneous

Your Account Security is At Risk.

Mãge·9/23/2016, 12:22:45 AM·20 votes·1,672 views

In light of a reminder that security is often overlooked, I thought this issue would be worth a post here in order to make this issue known to more players more quickly. That is, there is a glaring flaw in the design of account security for League of Legends players.

If you navigate to the "Settings" tab when you expand the drop-down menu in the upper right corner of the website after logging in, you'll see that you have the options to change your e-mail address and password for your account. In order to change your e-mail address, you need to enter your current password. In order to change your password, you need to enter your current password. Finally, if you've forgotten your password or lost access to your account due to a compromised password (which may in fact be through no fault of your own - for example, you might have used the same 60,000 character long password for League as you did for your old e-mail account), you can change your password if you have access to the e-mail associated with your account.

Let me repeat that.

Forgot password/Change password/Log-in/Account compromised? Change your password with e-mail. Forgot e-mail/e-mail compromised/Change e-mail? Change your e-mail with password.

If you lose access to one, you can use the other. If you HAVE access to one, you have access to the OTHER AS WELL.

That means if you've been hacked through either your e-mail, your league account, or some old website for which you've used the same password for and completely forgotten about, then a potential hacker could very well potentially render you unable to access your account, forever, because they hacked that old website and you just so happened to use the same password for (also why you should never re-use passwords).

Now, I understand there's player support for occasions such as these, so that players who've purchased RP or have any other types of credentials associated with the account can always recover their account through player support. But that's simply a last resort, and shouldn't be the go-to option for massive numbers of players who could potentially have their accounts compromised. And that doesn't even consider the player who's been an active participant in and supporter of the League community through many more positive means (artwork, involvement in boards, etc.) not related to purchasing RP. Suppose that player has never purchased RP. There's no way for the player to prove the account is theirs.

Riot, I hope you fix this issue quickly, because the security of your players is right now, right here, at risk.

Players, please update your League credentials and the credentials associated with the e-mail you use for League before you regret it.

Thanks, Cardi (A Concerned Player)

7 Comments

VasilisGreen9/23/2016, 9:39:53 AM3 votes

i don't quite undesrstand what you mean. If you lose access to your league account, you can reset it by requesting a password reset. For that you go to your email and you click this and that. But if you've lost access to your email, it's over, you can only recover that through your email service, league has nothing to do with it... So, what exactly do you mean in this post?

The password that is requested to enter if you ask to change the email adress that's connected to it, is your league account password. It is in place to "verify" that the user that requested that change was indeed you. AGAIN, your email account doesn't have anything to do with it.

If you ask to change your league password, it asks for your current password, again, to verify that the one that made that request is again YOU.

If you lose access to your league account for any reason at all, ask for a pass reset and you know what to do from there. If you lose access to your email, you go to your mail service and sort it out there, if you can't recover it, you make a new mail account and you assign it to your league.

Now, if i someone brute forces your League password and changes it, And also changes the email assigned to it AND also verifies it, yes, then you will probably lose your account because you can't actualy ask for a reset because the verified email doesn't belong to you and it's game over. But, to brute force a well designed password will take a lifetime even for the best PCs to do. So, If you what you mean in this post is this exact case, well, it's something Riot can work on but still it's not Riot's fault. If your password is 123456789 then don't be surprised if you lose the account. Apart from that, Riot isn't at fault if you made easy to guess passwords. Although they could make the Email change a bit harder. Like adding a 2 step verification in there so that, if you tried to change the email, you need to verify it both from the link they sent you but also in some other way, like from a cellphone. It would be a good strat

My E is balanced9/23/2016, 12:28:40 AM2 votes

u got hakd lol git fugd

Pesayeth9/23/2016, 12:47:43 AM2 votes

Just wanted to chime in. I had my account accessed a week or so ago and noticed this behavior after a few days. I promptly changed my password, however I was just banned earlier today for "3rd party programs or malicious programs," which I figure is related to whomever accessed my account. Hopefully Riot Support can step up and help anyone affected.

JustARivenMain9/23/2016, 7:08:37 AM2 votes

My friend got hacked, i made the acc for him when he first started 2 years ago, never logged on to it, riot refuses to help him uwu.

PaladinNO9/23/2016, 2:47:33 PM1 votes

Here is a random example of the kind of passwords I use (no joke):

_y29&_H$!\x/#'<3{:1H

15-20 characters, unique for every site or service I use (this game or emails is no exception), and I change them infrequently.

If anyone can hack both, they can have my account, as they then would deserve it.