clock menu more-arrow no yes

Filed under:

How one man pulled off one of League of Legends' biggest breaches

New, 14 comments

In March 2013, an Australian cybercrime unit raided the home of a young man named Shane Duffy. A homeschooled 21-year-old with Asperger Syndrome, Duffy was suspected of a long series of hacks on Riot's multiplayer battle arena online game League of Legends.

According to The Daily Dot, how he managed to pull it off is a story that dates back to 2012. Hackers gained access to more than 120,000 transaction records, which included encrypted credit and debit cards. Almost a year later, the company's North American servers were accessed by an unknown party. At the time, Riot said no billing information had been stolen.

In 2013, several high profile League of Legends players found themselves kicked out of accounts, or worse, had their accounts transferred to Brazil. The hacker involved  — Duffy — called himself "Jason."

According to Duffy, he previously got his hands on password information for a senior staff member following a bruteforcing attack — a method in which all possible passwords are checked until the correct one is located. The employee did not change their password, and Duffy was able to drop in backdoor software that provided ongoing access to Riot's servers.

Although Riot eventually found the breach, Duffy's group was allegedly able to access 24.5 million accounts.

Duffy then created a website called LoLip-op.com that would allow players to pay to have one of those 24.5 million accounts knocked out of a game. The site also offered distributed denial-of-service attacks to help players win games. Under the site, Duffy reportedly pulled in more than $1,000 a day.

Police took Duffy into custody after he reappeared on a Reddit forum to talk about his past. On April 23, 2014, he appeared in court on hacking charges and five counts of fraud; he was forbidden by a judge to go online before or after the trial.

The trial is expected to begin on July 24.