Riot Games breach: 10M accounts exposed

Riot Games breach is the story that broke the internet this morning, and if you are a League of Legends or Valorant player, you need to sit down. According to a series of internal security memos obtained by this outlet, a threat actor known only as “CynosureX” has publicly claimed responsibility for exfiltrating the entire user database of Riot Games’ core authentication servers, exposing more than 10 million active accounts. The leak, which surfaced on the dark web forum Cracked.io at 2:17 AM Pacific time today, includes usernames, email addresses, hashed passwords, and – most alarmingly – regional session tokens that bypass two-factor authentication entirely. Let’s be clear: this is not a hypothetical vulnerability. This is live, uncontained, and Riot’s engineering team is currently scrambling to rotate API keys while the company’s PR machine slowly coughs to life.

I spent the morning cross-referencing the leaked data sample with public records. The first 500 entries include account creation timestamps dating back to 2012, accounts with verified email domains from Kenya, Brazil, and the Philippines, and at least three accounts that belong to high-profile streamers – their Discord tags match. The Riot Games breach is not a small scrape; it is a full dump of every player who logged in between January 2019 and March 2025. The attacker claims they used an exposed Jenkins CI server that Riot forgot to patch after a routine dependency update. If true, that is negligence on par with leaving the vault door open while you go to lunch.

The server meltdown: how the attacker walked through the front door

Let’s break down the mechanics because the devil is in the unsigned commits. Riot Games runs a custom microservice architecture called Riot Direct, which is essentially a bespoke API gateway that handles authentication, matchmaking, and store transactions for Riot Client, League Client, and Valorant. According to a leaked internal postmortem from Riot’s security team dated April 2025 (which I verified via timestamp hash on GitLab), engineers introduced a critical misconfiguration in the OAuth 2.0 token exchange endpoint during a routine upgrade of their Spring Boot dependency. The flaw allowed unauthenticated HTTP requests to a legacy Redis cluster that still held production account data. The attacker exploited this by sending a single crafted POST request that returned a list of all active session IDs. From there, they downloaded the Redis dump. The Riot Games breach happened because a caching server that should have been wiped in 2023 was still warm.

Here is the part they did not put in the press release. The attacker left a traceable breadcrumb: they used a known exploit tool called “RedShift v2.3” that was published by a security researcher last month at the Black Hat Asia conference. That researcher, who requested anonymity due to legal threats from Riot’s legal team, told me in a private message that the exact same vulnerability was reported to Riot’s bug bounty program on March 14, 2025. “I opened a ticket with full proof of concept,” the researcher said. “Riot closed it as ‘informational’ three days later. They said the Redis server was slated for decommissioning in Q2. Guess they didn’t decommission fast enough.”

The real damage: session tokens that laugh at 2FA

But wait, it gets worse. Among the leaked data are approximately 300,000 region-bound session tokens. These are not password hashes that you can crack over time. These are live, cryptographically signed JSON Web Tokens (JWTs) that are currently valid for another six to twelve hours. Anyone who grabs these tokens can impersonate the account without knowing the password. No 2FA prompt, no device approval, nothing. Riot’s system trusts the token because it was issued by the legitimate server before the leak. The Riot Games breach means that right now, while you read this, an attacker in a basement in Eastern Europe is loading up a ranked match on someone else’s account, buying skins with stored RP, and likely using the account to boost or test cheats without consequence. Riot has started an emergency token revocation rollout, but the process requires a restart of the entire authentication cluster, which takes four hours. Four hours during which every account is vulnerable.

I spoke with a former Riot engineer who left the company in late 2024. They said the environment inside Riot’s security team has been understaffed for years. “We had nine people handling security for a user base of nearly 200 million monthly active players,” the engineer said. “The CI/CD pipeline was a dumpster fire. We never enforced strict token expiration on legacy services because pushing that change would break the login flow for people on old clients. It was always a trade off between security and player experience, and experience kept winning.” That engineer now works at a cryptocurrency exchange. They added, “This breach was inevitable. I’m surprised it took this long.”

The industry reckoning: when ‘player first’ becomes ‘attacker first’

This is where the skepticism comes in. Riot Games, a subsidiary of Tencent, has long marketed itself as the gold standard of online game security. They have a dedicated anti cheat system called Vanguard that runs at kernel level. They have a bug bounty program that pays up to $100,000. Yet this Riot Games breach originated from an unpatched Jenkins server, a tool so basic that it is in every “DevOps for Dummies” guide. The question every investor and gamer is asking today: how many more unpatched servers are hiding in the dark corners of Riot’s infrastructure? The attacker’s readme file, posted alongside the data dump, taunts Riot directly: “I found your skeleton key under the welcome mat. Next time, lock the door.”

Real time fallout: what the gaming community is actually saying

I pulled sentiment data from Reddit’s /r/leagueoflegends and /r/ValorantCompetitive over the last three hours. The top upvoted comment in the League subreddit reads: “I literally changed my password last week because of the Riot forced password reset in January. Are you telling me it doesn’t matter?” Another comment, from a player who claims to have lost a rare “Dark Cosmic Jhin” skin due to account theft in the last two hours, has 4,000 upvotes. The anger is not just about the leak. It is about the pattern. Riot has had multiple security incidents in the past: the 2021 source code theft, the 2023 “cheater refund” phishing scam, and now this. Each time, the company promises improvements. Each time, the Riot Games breach repeats itself with a new technical vector but the same root cause: operational sloppiness.

“We are aware of reports of unauthorized access to certain account data. We are actively investigating and will notify affected users via email. Do not click any links from unknown sources.” – Official Riot Games Support tweet, 6:32 AM Pacific, today.

That tweet has been retweeted 12,000 times and quote retweeted with screenshots of the leaked data. The community response has been a mix of dark humor and genuine fear. One popular streamer, who goes by “SnoodyBoii” and has 800,000 followers, live read the leaked data file containing his own email address on stream. His chat exploded. He then changed his password live, only to discover that the attacker had already logged into his alt account and spent 12,000 Valorant Points on a knife skin. “I’m done,” he said. “I’m migrating to Marvel Rivals. At least NetEase hasn’t been breached yet.”

Under the hood: the financial structure of a leak like this

Let’s talk money. The Riot Games breach does not just expose players; it exposes the entire microtransaction ecosystem. Each account on Riot’s platform is tied to a Riot Wallet, which can hold real money, earned currency, and gifted items. Attackers are already listing “Riot Account Access” services on Telegram channels for $5 per account, with a guarantee that the account has unused Riot Points (RP). I watched one channel that sold 47 accounts in the last hour. The buyers are using these accounts to run bot farms in League’s “Co-op vs AI” mode to farm Blue Essence, which is then sold on black markets for real money. The economics are straightforward: a single compromised account with 500 RP (worth about $5) can be stripped and resold. Multiply that by 10 million accounts, even with a low percentage having currency, and the potential value of this Riot Games breach swings into the millions.

But the bigger risk is regulatory. The European Union’s General Data Protection Regulation (GDPR) mandates that companies notify affected users within 72 hours of a breach and can impose fines of up to 4% of global annual revenue. Riot Games, as part of Tencent, reported $1.8 billion in revenue in 2024 (Source: Tencent’s 2024 annual financial statement, released in March 2025). A 4% fine would be $72 million. Add potential class action lawsuits from players who lost in game purchases, and the cost of this Riot Games breach could easily exceed $200 million. That is more than the development cost of Valorant. That is the kind of number that gets executives fired.

What you should do right now (if you are a Riot player)

• Change your Riot account password immediately. Do NOT use a password you have used anywhere else. The password hashes in the leak are SHA 256 but with a static salt – they will be cracked within a week using rainbow tables.
• Revoke all active sessions from the Riot Account Management page. Do this now, before your token is used. Instructions: log in at account.riotgames.com, go to “Security,” click “Revoke All Sessions.”
• Check your email for any password reset attempts you did not initiate. If you see one, your account is already being targeted.
• Do not trust any emails claiming to be from Riot support. The attacker also leaked Riot’s internal email templates. Phishing will be massive in the next 48 hours.
• Enable two factor authentication using a hardware key or authenticator app, not SMS. SMS based 2FA is still vulnerable to SIM swapping.

The neglected variable: why this breach hurts the esports scene

Here is an angle the mainstream tech press will miss. The Riot Games breach directly threatens the integrity of Riot’s esports ecosystem. Professional players in the League Championship Series (LCS) and Valorant Champions Tour (VCT) often use personal accounts for solo queue practice. If an attacker compromises a pro player’s account, they can int games, troll, and get the account banned or flagged, potentially causing the player to miss a ban appeal before a major tournament. I reached out to a representative of the LCS Players Association, who spoke on condition of anonymity because the organization has not yet issued a statement. The representative said, “We have been asking Riot for years to provide tournament only accounts for pros, separate from their public accounts. Every time they said it was too complicated to maintain two parallel databases. Now we have one database that is compromised.”

In the last hour, I have verified that three accounts belonging to LCS Academy players are in the leaked dataset. Each of those players has a regional session token that is still active as of thirty minutes ago. One of them, a top lane prospect for Cloud9, told me in a direct message that he has already lost access to his valorant.gg email alias. “I can’t even log in to check the damage,” he said. “I have a scrim in two hours. What am I supposed to do, play on a smurf that Riot will detect and ban?”

The kicker: this is not a wake up call, it is the third alarm

Every major gaming company has experienced a breach. Sony, EA, Activision, Epic, Valve. The difference is how they respond. Epic’s 2024 breach of the Epic Games Store exposed 500,000 accounts, and Epic had a remediation plan live within six hours. They credited the affected users with $15 store credit and a free game. Riot, by contrast, has not announced any compensation. They have not even confirmed the scale of the Riot Games breach in an official press release. The only communication is a 280 character tweet and a knowledge base article that says, essentially, “we are investigating.” Ten years of building one of the most dedicated fan bases in gaming, and the official response to losing 10 million people’s data is a boilerplate tweet.

The real story here is not the technical failure. It is the organizational arrogance. Riot Games has hired the best security engineers, spent millions on Vanguard anti cheat, and built a brand around player trust. But they forgot that security is not a feature you ship once. It is a daily battle against entropy. And today, entropy won. The attacker’s handle, CynosureX, posted a final message before their account was suspended: “You don’t need 0 days when you have unpatched 1 days. See you next quarter, Riot.”

I do not know what Riot will do next. But I know what I am doing: I am logging out of my League account, uninstalling the Riot Client, and waiting for the class action link to appear in my inbox. The Riot Games breach is not a headline. It is a verdict.