League of Legends website page showing security breach of game cheats and source code

Security Breach at Riot Games Reveals Game Cheats, Source Code for Popular eSport “League of Legends”

If you’re not familiar with the world of competitive online video games, you might be wondering why the leak of game cheats would be major news. In this case, it’s because the game in question is one of the biggest in the $1.3 billion international eSports industry. A security breach at Riot Games has led to cheats and source code for League of Legends, as well as several other titles, being exposed.

Riot says that player personal and financial information was not compromised in the security breach, but it comes at a poor time for the cooling eSports industry. The industry continued to grow in 2022, but at a much slower clip than exuberant projections made in the late 2010s when it was at its peak and with a number of revenue sources retracting as even the big players continue to struggle to turn a profit.

League of Legends & Teamfight Tactics Game cheats exfiltrated, ransom demanded from Riot Games

The integrity of games that are played as eSports are guaranteed by elaborate “anti-cheat” systems. The attackers exfiltrated not just internal game cheats, but the source code that underpins this system for certain Riot Games titles (League of Legends being the biggest). This creates the possibility of new game cheats and exploits being developed; at minimum, Riot is delaying planned content updates as it investigates the issue.

A Twitter update from Riot indicated that the security breach originated with a successful social engineering attack in the development environment. Further updates indicated that the company received a ransom email (which it does not intend to pay) and that game source code was also stolen that contains experimental features that were not necessarily planned for deployment to the public. Riot says that it has notified law enforcement and is engaging in an internal audit, with a planned report at some point in the future detailing how the attack unfolded and what the company is doing to improve security. It also said that the League of Legends and Teamfight Tactics would be issuing their own updates on what the exposure of the game cheats would mean for each of those games going forward.

The hackers demanded a $10 million ransom, and threatened to cripple League of Legends and another popular title, Valorant, by releasing the anti-cheat code. However, Riot says that Valorant uses a different system to prevent game cheats and should not be impacted by the security breach.

Security breach involved social engineering, possibly first party

Riot remains quiet about the security breach as the investigation unfolds, but members of Motherboard’s reporting team entered the Telegram chat room created by the hackers for ransom negotiations and found that some were using the usernames of Riot employees, a possible indication of who was compromised by the social engineering attack. The hacker’s own ransom note also referred to their work as “amateur level.”

At this point the hackers appear to have received the message that Riot is not willing to pay, and have appeared on a popular dark web forum offering the game cheats and pieces of code they stole at auction. They are offering the anti-cheat system, Packman, at a starting price of half a million dollars; buyers interested in the source code for League of Legends will need to pony up at least a million.

Tonia Dudley, CISO of Cofense, comments on what this all might mean for Riot and League in the future: ” … while no personal information or player data was exposed, this attack still presents significant future challenges. Since the company’s source code was leaked, there is both an increased chance of cheating – as the attack targeted Riot’s anti-cheating platform – and an increased chance that hackers may exploit vulnerabilities in the future. Finally, one of the main components of any social engineering attack is its lure design. Scammers often use emotional triggers to get their victims to act, including fear and impulse, which causes many people to overlook phishing red flags like grammatical and formatting errors.”

League of Legends rose to the top of eSports in part because of its reputation of being extremely difficult to hack; game cheats have been relatively few and far between in the title’s long history, and when viable cheats do appear Riot is quick to shut them down. Confidence in the game will hinge on how fast it can patch out any immediate vulnerabilities that emerge as a result of this security breach, but long-term confidence in the game may be shaken if the source code escapes into the wild. This may accelerate its path to retirement as an eSport, something that appears to be on the horizon anyway as some of the dwindling revenue of the industry at large is attributed to too many old games and a lack of new blood.

Though this particular situation is somewhat unique due to its involvement of a popular eSport, Riot is far from the only game company to suffer a security breach and loss of sensitive code as of late. Publishers Rockstar, Bandai Namco, CD Projekt Red and 2K Games have all seen high-profile breaches in the past two years. The security breach at Rockstar revealed secrets about the upcoming Grand Theft Auto VI, something that may have actually ended up doing the company more good in terms of marketing and hype than harm, but there were similar concerns about how the current Grand Theft Auto Online title might be impacted by game cheats after the source code was stolen. The 2K Games breach of late 2020 saw malware distributed to customers and the theft of some of their personal and financial data.

Michael Slipsager, CEO of BullWall, comments that this should be a warning that even companies with a very strong security reputation can eventually be exposed by some sort of oversight involving employees: “Despite taking steps to protect their data, even companies with strong security measures in place can still fall victim to a ransom attack and can still suffer the consequences of a ransom attack, such as loss of sensitive data, reputational damage, and financial losses. Even well-prepared companies like Riot Games may find themselves vulnerable to a ransom attack and it is important for all companies to stay vigilant and have a robust incident response plan in place to minimize the impact of such attacks.”