BoardsPlayer Behavior

A reward for 6 years of League.

Juzza·8/17/2016, 2:03:17 PM·328 votes·40,976 views

1 year ago, I went cold turkey on League. I quit, indefinitely - I told everyone who knew I played that it was done. I had played for the last 6 years, s1 bronze, s2 gold, s3 onwards diamond and, to no fault of Riot, I just started getting bored. My very last game was an in-house custom with my friends who still play today, and after that, I had 'retired' my account; never to play another game, but to still remain as a reminder of what shaped me as I grew up.

Under a week ago, I was permanently banned on the basis of

using malicious 3rd party programs or modifications to my League of Legends client.

I had received an e-mail that was in my junk folder, and it was actually purely by luck that I had stumbled upon it.

At first, I shrugged it off as another phishing link. Then I realised they didn't actually ask me to address the ban like a regular phish would. It literally just told me that I had been permanently banned, and to contact player support if I had any questions.

Any questions?

Of course I had questions.

It turns out, someone had breached into my account at latest mid July. [accessed from matchhistory[dot]oce[dot]leagueoflegends]

I had no knowledge of this.

In fact, given that I had quit, there was seemingly no way for me to have knowledge that someone else was playing on my account.

I received no notifications of a new IP access, no e-mails or alerts.

How could this happen?

My password isn't guessable, nor do I share my details with anyone.

How could someone log into my account, inactive for almost a year, on a random IP address and not alert me immediately through one of myriad of ways to do so?

I've connected my Facebook, my e-mail, and if it's a thing, probably my phone number too.

League of Legends is the biggest online game in the world. Compare it to games like Runescape - you need to authenticate access through an authenticator to log in from a new IP. Guild Wars 2 - you can literally see every access to your account, including access IP. Platforms like Steam - you need to gain a code textable to your phone number to log in from a new IP, or even just after inactivity.

This is not cool.

This is exchange I had with Riot Broken Blade through Player Support.

Just like that, someone breached my account, played for a week, cheated blatantly (still losing the games) and got my 6 year account, pricelessly sentimental to me, permanently banned in one fell swoop. And there was nothing I could do to stop him.

A reward for 6 years of league.

274 Comments

Mistress Shyvana8/17/2016, 2:23:07 PM231 votes

Whether this is legit or not we need a movement for better security. I dont understand how a game this big doesn't have secondary authentication atleast for login from a different IP address.

Seeing how big the game is and how you can spend so much irl money on the game.. You think this should be staple.

JOIN THE FIGHT FOR BETTER ACCOUNT SECURITY

Riotcluvie8/18/2016, 1:03:14 AM123 votes

Hey Juzza -

Thanks for taking the time to write this up. I did a little prodding and reached out to a few people in Player Support to see what happened. This particular case was difficult to establish compromise due to the access that was being seen on the account. Further review leads us to believe that your email itself was compromised and that’s how they were able to get into your League of Legends account with a password reset. I’m not sure when the last time you changed your password was, but I’d recommend updating it and any account that used the same credentials. Apologies for missing this from the get go and for any inconvenience that this may have caused. A Player Support agent should be reaching out to you shortly in your ticket.

When it comes to Account Security, we take that issue very seriously. We understand that there are some changes that should be made in order to help alert those whose accounts may be compromised, and we’re looking into this on multiple fronts. In the meantime, there are quite a few things that we can all practice to protect ourselves as well. In this day and age, you pretty much need a login and password for everything everywhere and it makes remembering your password hard. All these different accounts tempt us into reusing the same password across multiple sites, which is definitely not a safe security practice. I would suggest looking into password managers to help out with different identities on the internet. A few more tips can be found here.

Vhan87658/17/2016, 2:32:42 PM79 votes

I love Riot's Player Support. They are /so/ helpful and /so/ understanding, they /clearly/ /always/ listen to every word you've typed and /always/ take /every/ report with the most care. Sometimes when you're really cared for, you'll get some of their replies straight up copy and pasted from already premade support articles.

Riot cares so much about their players, that is why there are so many /amazing/ deals and offers for you to spend your money on 24/7. Riot cares so much that you can see them listen to their player base all the time about game balancing or changes 90% of players didn't want. <3 And since League of Legends is a "free" game, let's all not forget Riot doesn't have the money or time to add in that extra step of security so things like this don't happen. :3

Honestly though, I love League of Legends but I personally greatly dislike Riot.

ModWuks8/17/2016, 6:16:08 PM40 votes

Yes, Riot's policy with regards to account security and account actions is to place it on the responsibility of the account owner, and for good reason. However, I've seen a few instances where Riot were able to work their magic. If what you're saying in the OP is true, I certainly hope that some magic can be worked here. I don't have much influence on these types of matters, but I'll see what I can do.

And +1 for multifactor authentication/two-factor authentication. It's something that Riot's been looking to implement over the past few years, but I certainly see the urgency for players.

http://www.riotgames.com/riot-games-security

COBRA C0MM4NDER8/17/2016, 5:02:02 PM36 votes

Yeah, I've always wondered at how easily Riot can wash their hands of player side security issues. For some of us, we have a significant investment in our accounts through time and money.

The piece that really twists my nipples...is this line :

"however if an account is ever compromised, as account creator you are ultimately responsible for all behaviour on your account as well as maintaining it's security and the security of its login information"

The problem with this bit is RIOT WILL NOT TELL YOU WHEN OR WHERE IT BECAME COMPROMISED. There's no security call when you incorrectly enter the password.

Riot says fuck all if some hacker is trying to blindly brute force your passwords, they SAY NOTHING if your account logs in from a different location...but they have no problem blaming you for account sharing though, even if it's you on a vacation.

Riot has no problem taking your account and investment and deleting it because they own the game.

I'd say Riot needs an authenticator added to the phone app or the very least an IP check upon login to verify that said account is playing from XXX.XXX.XXX.XXX IP and keep a log.

There's no logs on our accounts, in our profiles or anyplace we can access securely anyhow so that leaves a really big fucking hole security wise...how can we be secure if we cannot even see who is logging in our accounts. No warning that someone is brute forcing your account.

A simple IP log function would be of immense help to us with security. It would allow us to say "yes, this was me...or no, this was NOT me" and a security handshake between the client and host to verify that "X has logged in securely"

Fuck worlds, Fuck champion updates, and to hell with new skins.

SECURITY should be the priority.

Juzza8/17/2016, 5:21:39 PM28 votes

My post has brought up 3 'concerns' which are being consistently mentioned by the comments. I'll summarise them here, but before that, let me state a couple of things which I didn't think I needed to, well, state.

Firstly: nothing in the OP is fabricated. Nothing in the OP is exaggerated, to the best of my knowledge, or to a meaningful extent toward the points I was trying to make. Nothing has been purposely omitted from the OP. I'm here to state my concerns, but also my case. I have nothing to hide, and will provide any further details on request.

Secondly: as was stated in the OP, I have long since quit the game. I'm not trying to ever play again. Obviously, I'm here to point out the facts and reintroduce an issue that has long since been the elephant in the room. At the same time, however, my account was a trophy on the wall. I may not ever have touched it, or moved it, but it was there to see, and it was something I would be proud to see. Now, it's simply a stained piece of metal that I'm ashamed to own - and the stain was not even of my own doing.

One of the biggest concerns I have, separate from the issue of account security offered by LoL, is how certain Riot Broken Blade stated that "exploits were used with no signs of ever being compromised." Actually, in saying that, it is honestly related to the issue of account security.

Why?

Because I did NOT use any exploits, or cheat in any way in the course of my account lifetime.

I openly challenge any rioter to prove me wrong; to show the evidence that allowed Broken Blade to essentially say that I was lying when I claimed to have my account breached.

...it does seem there were exploits being used by this account with no signs of ever being compromised.

With me being 100% sure that I did not cheat given that I haven't played a single game since the 10/8/2015 (that's the 10th of August, 2015), clearly Riot's detection on account access is heavily flawed. Either that or something shady is going on, but that's really just silly given my inactivity.

I cannot prove that my account was breached with certainty. Less so, I cannot begin to even give a backed argument for myself because I do not have any data showing logs of access, IP comparisons, etc. These are all kept internally, and as shown by my chat with Broken Blade, they are not willing to give this out. Frankly, all I have are the witness testimonies of every single person who might be on my FL, and the hunch that I have never been near wherever the IP of access was at time of breach.

All that being said, here are the two main points.

  1. Riot is justified in not lifting the permanent ban, because at the end of the day, their rules are logical - your account is your responsibility. What happens on your account is your concern. I agree with this stance, on the assumption that account security is genuinely under control. Obviously, if everyone had complete control at all times over their accounts, there is nobody else but you to take responsibility for actions stemming from your account. Unfortunately, this is most certainly not the case. Which brings me to:

  2. Riot's account security systems are horribly lacking. There's nothing much else to be said. Given the size of the game, the range of its capability, it is no better than irresponsible for developers to ensure that account security is at the very least kept up to the same pace as the rest of the features of the game. The state of security needs to change, now.

Uberfrag8/17/2016, 3:35:56 PM24 votes

I'm starting to see a worrying amount of these threads appear on the forums now.

Whilst I'm always sceptical that the entire truth is not being disclosed by the poster, what concerns me more is that despite all these threads, nobody from Riot is commenting on any of them, which makes me think they have something to hide.

I agree Riot needs to invest in additional account security, people invest a lot of time and money into these accounts and riot should be implementing better ways to protect them.

It borders on negligence from their part by not protecting their customers, I'm shocked this hasn't been addressed earlier.

Roxas11111118/17/2016, 3:34:10 PM19 votes

Im sorry but the fact that they responded like that to a cry for help is total bullshit.

ConsensualClown98/17/2016, 7:07:32 PM15 votes

[deleted]

Randomonium8/17/2016, 2:44:16 PM10 votes

This is like the 3rd post I've seen where OCE rioters have refused to overturn blatantly unfair bans. I'd submit a ticket on NA or EUW because it's obvious some of those guys in OCE are either incompetent or aren't even bothering to look at the facts.

Glaedonx8/17/2016, 4:26:27 PM9 votes

I really hope a Red sees this. This is completely avoidable. There is no excuse on Riot's part to not have the option (though it should be a requirement) for players to got through a two-step verification process. I think two-step verification should be done with every login, but even if it was like steam with a once-per-computer basis, that would be better than nothing. A company that is as big as Riot, that has the largest share of players of any multiplayer game, really needs to start putting player account security onto their priority list.

The only reason I can think this hasn't been implemented yet is that the old tech of the client won't support it (I'm REALLY giving them the benefit of the doubt on that). Something needs to be put into place after the new client release IMO. And players need to demand it.

LuxannaVeritas8/17/2016, 3:16:53 PM8 votes

Wait, so your account got hacked?

Isn't this a big deal that Riot should look into and alert the community about?

Cpt Jack Bird8/17/2016, 3:33:57 PM7 votes

Funny thing: they literally can never stop you from ticketing. You could run a script to do it for you, even. They are obligated to look at every ticket, and can't stop you.

Battlecast Sona8/17/2016, 5:01:40 PM5 votes

League of legends authenticator where

MrEly8/18/2016, 1:10:02 AM4 votes

Despicable. Can't wait to see this thread fall by the wayside, be forgotten, and never be hit by a Riot employee.

What Is Smite8/17/2016, 10:55:50 PM2 votes

Contact the Better Business Bureau and submit a complaint, afterwards file a complaint with the Microsoft Corporation. Through both companies pressure Riot Games will be forced to make a much more detailed investigation or be charged with a significant fine all the while losing face in the media for a game that fails to secure it's player information. There are more steps you can take, but elevating the issue to a higher power will cause action to be taken and hopefully you can recover your account.