A hacker is looking for ransom payments after acquiring source code for Riot Games’ League of Legends, Teamfight Tactics, and the company’s “legacy anticheat platform,” a spokesperson for the company said on Twitter. Riot Games has refused to pay after systems were compromised in a socially engineered scam.
The company stopped releasing content for League of Legends and Teamfight Tactics while teams worked to secure the system. Riot Games expects that a fix will be implemented later in the week, wherein patch updates will then resume. Both Teamfight Tactics and League of Legends will get hotfixes to push through some expected changes, but more major adjustments will have to wait — for Teamfight Tactics and League of Legends, the big stuff is being moved to Feb. 8 patches.
As promised, we wanted to update you on the status of last week’s cyber attack. Over the weekend, our analysis confirmed source code for League, TFT, and a legacy anticheat platform were exfiltrated by the attackers.
— Riot Games (@riotgames) January 24, 2023
No player data or personal information was compromised in the attack, according to Riot Games. The source code for each of the games, however, includes “experimental” features that the company was not ready to share — prototype work with no guarantee for release.
The other major concern regarding the stolen source code is the likelihood of new cheats, Riot Games said. “Since the attack, we’ve been working to assess its impact on anticheat and to be prepared to deploy fixes as quickly as possible if needed,” it tweeted. The company is working with its security team, consultants, and law enforcement to investigate the attack and its perpetrators.
Riot Games declined to comment further on the attack, but noted that the company intends to publish a full report that details “the attackers’ techniques, the areas where Riot’s security controls failed, and the steps [it’s] taking to ensure this doesn’t happen again.” Social engineering scams are designed to target people — in this case, people with access to Riot Games’ systems. They exploit human error, for example by sending fake emails designed to trick a person into sharing information or installing malware. Social engineering hacks are a common tactic; they led to Rockstar Games’ Grand Theft Auto 6 leak last year.
Riot Games has targeted social engineering scammers in the past, too. In December 2021, it filed a lawsuit against a ring of scammers targeting job seekers — in particular, people who wanted to get into the video game industry. Scammers, in that case, published fake job postings, held fake interviews, and eventually stole money from victims. That lawsuit was dismissed in 2022.