Account information for some North American League of Legends players has been "compromised," Riot Games co-founders Marc Merrill and Brandon Beck revealed in a post on the game's official website today.
Compromised information includes "usernames, email addresses, salted password hashes, and some first and last names," according to the developer.
"This means that the password files are unreadable, but players with easily guessable passwords are vulnerable to account theft," the pair wrote.
Riot is also "investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed." The payment system under investigation hasn't been used since July 2011, but Riot will contact affected players via email.
Riot will require players with North American accounts to change their passwords, which will happen as an automatic prompt when they log into the game. The developer is also creating new "security features," including email verification and two-factor authentication, which will require verification through email or text message.
"We're sincerely sorry about this situation," the post reads. "We apologize for the inconvenience and will continue to focus on account security going forward."