Riot says it won’t pay ransom after League of Legends source code stolen by hackers
Riot Games says the source code for League of Legends (opens in new tab), Teamfight Tactics (opens in new tab), and a “legacy anticheat platform” were stolen in a “social engineering attack” that occurred last week, and are now being held for ransom.
Riot initially reported the attack on January 20, saying its systems were compromised but “there is no indication that player data or personal information was obtained.” The studio promised to keep followers updated on the situation as it continued to investigate.
Today, we received a ransom email. Needless to say, we won’t pay.While this attack disrupted our build environment and could cause issues in the future, most importantly we remain confident that no player data or player personal information was compromised.2/7January 24, 2023
Today it followed through, revealing that the source code had been stolen, and that the thieves have now sent the studio an email demanding an unspecified ransom. Riot said it will not pay, but warned that the exposure of the source code could lead to an uptick in new cheats. “Since the attack, we’ve been working to assess its impact on anticheat and to be prepared to deploy fixes as quickly as possible if needed,” Riot said.
Perhaps hoping to preemptively manage expectations, Riot also warned that the leaked source also includes a number of “experimental features” that may or may not be released at some point in the future: “While we hope some of these game modes and other changes eventually make it out to players, most of this content is in prototype and there’s no guarantee it will ever be released.”
“Our security teams and globally recognized external consultants continue to evaluate the attack and audit our systems,” Riot tweeted. “We’ve also notified law enforcement and are in active cooperation with them as they investigate the attack and the group behind it.
“We’re committed to transparency and will release a full report in the future detailing the attackers’ techniques, the areas where Riot’s security controls failed, and the steps we’re taking to ensure this doesn’t happen again.”
(opens in new tab)
Riot said on the official League of Legends (opens in new tab) Twitter account that a hotfix including some content scheduled for the 13.2 patch will roll out on January 26, but some material has been pushed to the 13.3 patch slated for February 8. The Teamfight Tactics (opens in new tab) account said essentially the same thing, and both said they expect to have everything repaired by the end of the week, “letting us keep our regular patch cadence moving forward.”
A Riot rep declined further comment but reaffirmed that a full report on the incident will be released in the future.