Riot Games was the target of a cyber attack in which the LoL source code got stolen this week.
The first month of 2023 has been a long one for one of the biggest game developers in the world, Riot Games. Just a couple of weeks ago, the company got into trouble with the League of Legends community due to the stale state of the game and the lackluster season start cinematic. As they addressed the problems and were leaving them behind, Riot just got hit with another bad news. Over the weekend, Riot systems were the target of a social engineering attack.
Earlier this week, systems in our development environment were compromised via a social engineering attack. We don’t have all the answers right now, but we wanted to communicate early and let you know there is no indication that player data or personal information was obtained.
— Riot Games (@riotgames) January 20, 2023
Social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices to gain unauthorized access to systems, networks or physical locations or for financial gain. These types of attacks are becoming more commonplace in the current days, even against everyday people with tactics such as spam emails, phishing and deepfakes. Some recent examples are Google getting scammed for over $100M and €70M getting stolen from a Belgian bank.
Riot Games guarantees no player data or personal information is compromised
After the attack, Riot promised more communication in the coming days, which was a focal point when the League of Legends devs addressed the aforementioned community backlash last week. In a statement made on Twitter today, Riot Games confirmed their source code for LoL, TFT and a legacy anticheat platform were exfiltrated by the attackers. Although they did not give too much more information about the attack itself, Riot was able to assure players none of their data or personal information was compromised.
The statement also mentioned Riot received an email demanding ransom. Riot said they would not be paying the ransom and “security teams and globally recognized external consultants continue to evaluate the attack and audit [their] systems. [Riot] also notified law enforcement and are in active cooperation with them as they investigate the attack and the group behind it.”
Today, we received a ransom email. Needless to say, we won’t pay.
While this attack disrupted our build environment and could cause issues in the future, most importantly we remain confident that no player data or player personal information was compromised.
— Riot Games (@riotgames) January 24, 2023
With no ransom payment and no player data compromised, the only two big remaining implications for players are the anticheat problems and game patch delays. On the latter front, both LoL and TFT will get their regularly scheduled patch 13.2, but some of the planned content will be missing. LoL patch 13.2 will be a hot-fix patch including the main part of the regular patch, except the Ahri ASU and Annie champion adjustments. In the same vein, most TFT changes will go through with the exception of larger-scale trait reworks.
When it comes to cheating, Riot already has a very effective, but arguably intrusive, anticheat system for their games, so they didn’t have a problem with cheating in the past. Andrei ‘Meddler’ van Roon, Senior Vice President and Studio Head of League Studio at Riot Games, answered some questions about the cheating subject on Reddit after the statements where he said, “there is some meaningful risk of additional cheating happening (or at least being tried) when stuff like this happens. One silver lining is that as we mentioned briefly in that video a week or two back, updating anti-cheat with a new system was something we were looking to do anyway in 2023. Going to try and accelerate that work given all of this.”
Riot also promised more transparency and information on the subject in the future, promising they would release a full report in the future detailing the attackers’ techniques, the areas where their security controls failed, and the steps they’re taking to ensure this doesn’t happen again.