I requested account data about 30 days ago and today realized 30 days had passed and i was yet to hear a reply. So i requested a human that its been 30 days and i haven't received my account data. After a few hours i get a reply from a rioter with a zip file. Upon opening it its someone with name "***"(can i disclose it?) and not me. I just sent them email that this isn't my account data and yet to hear a reply. Either way this is a serious issue because if i have someone else account data who has mine?
Update,they replied to my email: https://imgur.com/a/sZjMwHN
Updated the link because it mentioned someone to prevent violating any rule
**Edit:**Apparently this has happened to three more users according to them so this isn't a first time issue
Edit2: A lot of people are asking why do you care about someone's reports,chat. Just a reminder as among the important things. It reveals your email,date of birth,phone number(if linked) and IP addresses used to login for the past 4 months.
**Edit3:**Since the data owner user has revealed himself here's his username if you want to ask him anything regarding legal stuff /u/Flezhwing
Edit4:Yikes I don't care about money earned by selling someone's assets stop pm'ing me to sell this guy's account data
That's concerning.
Jesus, this is a large mistake to make. Concerning is putting it lightly. Makes me have very little faith in account security.
It's the largest game in the world and there's still no authenticators, the fact that you had some faith in account security to begin with is concerning.
The year is 2018.
League of Legends drew over 2,000,000,000 (2 billion USD) in revenue last year.
Account theft and sharing have been widespread problems for years.
Yet not only is two-factor authentication not enabled by default, it isn't even an option to secure our accounts.
Two-factor authentication shouldn't be enabled by default, only as an option. A lot of people (probably most) don't care that much about their League account's security (which is definitely a fair choice for them), or at least not to the point that they need two-factor.
Then they can turn it off. It should be on by default for every website, service, provider. Force people to use it. Too many people don't even know what 2FA is.
Force people to use things I want!! They don't know what's best for them.
2 more replies
7 more replies
5 more replies
3 more replies
37 more replies
Can't wait when Ai will take all of their jobs
15 more replies
i got the information wrong too just now wtf
27 more replies
Riot have to be careful. That’s some serious shit that could end up hurting them more if someone filed a claim.
Inb4 player xx_PuZZy_Sl@yer_96_xx files a lawsuit against Riot Games for violating privacy law.
You're making a joke, but if things like that happen often enough eventually someone will sue.
Rightfully so. Even if it is a human mistake, it's a devastating one at that.
6 more replies
1 more reply
4 more replies
This incident alone should be a crime of some sort. This sort of data can be misused and has to be handles with care. What happened is simply not acceptable.
It is a crime and a breach of Riot's contract in their own terms (they agree to privacy and not sharing your data with anyone else). The guy could sue and win 100% but he won't
lol
cant tell you if we punished the yasuo that told you to kill yourself but you know what, here is his name, date of birth, and ip address.
lol I cant stop laughing
"Now man up, boy, and punish him yourself."
The perfect tribunal. All the flamers (I'm fucked) get their info exposed to the other guys, you can carry out the punishment. The purge: league of legends
3 more replies
This incident alone should be a crime of some sort.
It is, and there are very sharp teeth enforcing it if any of the affected users are European.
3 more replies
1 more reply
1 more reply
> EU law enforces privacy
> Riot starts sending out random people's information to others
FUCK YEAH PRIVACY!
it's all and fun. But for breaching GDPR regulation, they can be fined up to 20 milion euros or 4% of yearly income
guess we are in for a lot of lux and ahri skins in 2019
"Your shop is back!"
"Announcing the all new Ultimate and Legendary only Your Shop!"
I mean I got a lot of Rp on my BD so to have it back would be fine for me
1 more reply
Whatever is higher, so it would be 4%
1 more reply
Global yearly income, not a good look to your shareholders to lose 4% of everything you made that year.
1 more reply
I want them to get this penalty. I know Riot is a small Indian company, but the message needs to be send loud and clear. This will force companies to implement and follow the regulations. This sounds like an issue that could be more widespread than Riot.
Indian lul
https://en.m.wikipedia.org/wiki/Tencent
World's second largest media and information empire after Disney.
Might even be more powerful as they act for the Chinese government and probably have their protection.
17 more replies
Now imagine if Riot were sending out random files of the data and it manages to somehow be yours.
I doubt they pull out random files and send it around, I think they've misaddressed the files that were requested. So only those player's files could potentially end up at someone else who requested files.
Not like this makes the situation any better.
I was joking when I posted btw.
When I got mine, the name of the file was some numbers. It didn't have my account's name or anything so the Rioter must have misclicked or something.
The name of the file is always a number! But if you go in the chat logs, for example, the name of the player is written once for every message sent.
1 more reply
if the news of this breaks out riot eu is in for some real shit
it's already done. they're fucked.
2 more replies
what kind of data was it? was it like amount of reports and like novelty data or important stuff like emails passwords etc.
Among the important things. It reveals your email,date of birth,phone number(if linked) and IP addresses used to login for the past 4 months
Here comes the lawsuit
Lawsuit by who exactly? The guy that got the wrong data? Not sure about that. The guy who's data was delivered to OP? He doesn't even know that happened. So... nope.
Which is sad, because it kind of deserves a lawsuit.
If any of the involved parties are EU citizens, Riot is obligated to report it, and quickly.
The guy who got his info given away is from EUW
Yeah, that's a mandatory report within 72 hours.
Soon I saw this I thought of the Scooby doo classic:
'And I would have gotten away with it too, if it weren't for you meddling redditors'
Yeah I meant the guy who's data was given out
EDIT: I was also joking a fair bit, but this is honestly deserving of some type of litigation
1 more reply
The guy who's data was delivered to the wrong person now knows. And also, it doesn't necessarily have to be an affected person. The EU can now bring down the wrath of God upon them if it so desires. As has been pointed out by some other users, this is a massive violation of their new data protection and privacy laws.
apparently he knows now and all you have to do is probably send a ticket asking...
EU office in charge of this could fine Riot I guess?
OP could contact his national Data Protection Authorites, which would launch an investigation into it and report their findings within 3 months.
1 more reply
It would be the guy who's personal data Riot revealed, or a government entity taking action on his behalf.
Long story short, new European data privacy laws really look down upon sending the person data you've collected on people to other people who don't need to see it, especially without consent.
1 more reply
26 more replies
1 more reply
Holy shit that's big
And weird, when I asked for my password and username I already had to respond to some questions etc
They should never be able to give you your password. Not a programmer but from my understanding that shit should be so heavily encrypted only the database should be able to confirm it's right or wrong. But never be able to actually show it.
The hash is saved to the database, the plaintext password never leaves your browser.
Passwords get encrypted before put into a database. When you login and input your password, it basically gets encrypted again and if it matches the existing entry, you'll get to sign in.
Unless of course they are stored in plain text. At least osu! used to just email your password in plain text after registering, meaning it was like that in the database most likely. No idea if they've changed it.
3 more replies
2 more replies
4 more replies
Jesus that’s huge , that’s a sackable and sueable offense.
3 more replies
24 more replies
1 more reply
Yeah, saw the message that you got my data. Happy it is a honest person who received it.
Edit: lot of pm's
I am talking to the support and I just read a bit of the GDPR, and Riot Games is in bad standing at the moment. I will give an update after I call my country's data protection, which will guide me through legal stuff.
Update 1:
I just spoke with one off them on the phone, they told me to write an E-mail with the information I got. What they did wrong. Which then they will decide if they can make a case out off.
He said it was quite possible to make a case, since the broke they law and their own privacy policy.
For people in the EU which might me in the same situation, you can find your countries authorities with this link.
http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
Did you also have a data request outstanding? Or did they just send him someone else's info? I want to know how a mistake like that even happens.
I did ask for my data, I just received my data 10 min ago the right one. I am not sure if I received the wrong the first time. Since the zip file link, was suddenly invalid.
Do not ask me how they can make such a mistake, I am looking up some data protection for EU and my own country as well to see what rights I have.
Your rights as data subject, as well as Riot's obligations as data controller, are listed in articles 12-23 and 24-34 of the GDPR. Also see articles 77-84 for a broad understanding of the remedies available to you.
lol sounds like you could sue Riot from the other comments in this thread
Already looking into it, this is not something which should happen at all. I will contact my country data protection. Which can help me file a potential suit. As well as writing to riot games.
if you actually plan on doing anything that you say you will then stop commenting right now and delete your comments.
Why is that?
If he actually gets into a lawsuit with monetary damages there is about a 100% chance that riot's lawyers will find this post and track down his comments.
Yeah i get that, but how would these comments matter?
What he says could be used against him
1 more reply
2 more replies
If you are going to start a lawsuit deleted every comment you’ve made on this post other than the one confirming it was you. Lawyers can and will use this thread against you, likely to say “see he doesn’t even care about privacy he was just told he could make a few easy millions and acted on it.”
61 more replies
Player Support here -- This is definitely unacceptable and we're sorry this happened.
Based on your experience we have temporarily paused manual reviews of data requests while we investigate this situation further. Most of our data requests are automated, and we've confirmed this system is working properly so these will continue to be processed as normal, but we are temporarily pausing those that are handled by an agent during our investigation.
Your info is precious, we take it seriously, and we will get better.
Sent you a message as the player with the account information leaked, please get someone to look at it, also a ticket:#34861819
Edit: if anyone has advice, regarding GPDR/DPA please message me
Use your new found leverage... Make them undo this shitty Aatrox re-work and revert Shaco.. or else lawsuit land!
Yep that's it.
Please and thank you
maybe delete yasuo while you're at it?
Make them give Yasuo a mana pool. Let's see how much they'll dash around a lane.
You are truly the best kind of evil.
1 more reply
A mana Pools doesn't matter if they keep the mana costs at 0
Give him a 30 mana dash. That'd make me happier than any nerf
Give him a 30 mana dash, but no mana pool
give him a 1 mana dash so he can complete seraph's embrace before 18 minutes
1 more reply
Dont do that, we have enough natural floods as it is, no need for tear floods.
"Yasuos E will now use flow instead of Yasuo gaining flow when dashing"
And see if we can finally get Pool Party Ahri?
Can I get the old tristana while you're at it
Hahaha I didn't enjoy ap tristana pressing e on me for half my health while applying grievous wounds thanks.
1 more reply
1 more reply
5 more replies
I see you're from the UK. You can lodge an official complaint against Riot here.
I would suggest contacting a data protection lawyer (Google it, there's many)
Thank you!
Hi I have a lot of experience in GDPR from working on compliance for it. If you have any questions I'm happy to help. someone else pointed out below that you're from the UK. I'm also from the UK so have knowledge of dealing with ICO
Completely depends where you are from, if you are a european player and this data just got leaked, then the gdpr roles just got hella hella strict.
1 more reply
well sh*t is done, better hope nobody with bad intentions get wrong information
Yeah imagine that. That would be a lawsuit for sure.
I mean they already sent private information to the wrong person. That's already enough if you ask me ... After that new law about the privacy in EU it would take just 1 person to complain from any EU country and they probably gonna get in troubles
yep, and the minimal starting fines are so big they would have to release 10 new skins to cover the loss
are the fines the same as the new business gdpr ones? upto 4% of yearly income?
Yes
upto 20 million euros or 4% of yearly income for the whole company.
whichever is bigger, that that is the maximum
1 more reply
release 10 new skins
New Teemo, Ahri, Lux, Sona, Ezreal skin on the making
4 more replies
2 more replies
8 more replies
well shit is done
we will get better
GDPR compatibility deadline was in May..
Yup, if some use finds out his data was compromised and lives in EU things can turn bad really fast for Riot.
The data in question was a UK citizen
They are still in the EU i think.
Yes they are. That's the point I was making
We appreciate the sentiment, but personal data is a Pandora's box. Once it is out, you can't just shove it back in. I hope for all of our sakes that the EU doesn't choose Riot to be an example...
inb4 this was all just a ploy by Riot NA to get rid of EU once and for all
Patch notes 8.14: EUW Removed
haha except the fine would hit riot itself, not riot EU
8 more replies
As a US IT guy who has had to help make sure that these new EU standards apply company wide, this is completely unacceptable. That support agent is gonna get fired so hard.
This is the sort of garbage where they've had some underpaid mook doing it and it's just his day to day where he doesn't give a shit about what he's working on. Guess we'll find if Riot has a pound of flesh to pay for being careless.
4 more replies
Hi, given the severity of this matter, how can we find out if riot has given our information out to anyone else? I am uncomfortable knowing that this can happen.
how can we find out if riot has given our information out to anyone else
Send in a ticket.
I am uncomfortable knowing that this can happen.
If you have ever given any sort of information ever out online it can happen. It's not unique to riot. Literally any login you create can possibly be compromised. All you can do is protect yourself through various means such as 2fa when available and lengthy passwords. Tools like 1Password are especially good for keeping yourself safe.
Send in a ticket.
The question here is whether submitting such a ticket will get as an accurate/complete answer
All you can do is protect yourself through various means such as 2fa
Which Riot does not support, let's not forget.
1 more reply
Have you reported this to a data protection authority? Everything about your system shows a lack of understanding of GDPR and lack of willingness to follow by it. I have been communicating on my own request for data and for example your 30 day minimum for recieving your information is already in violation of the regulation.
You need to sort this or it will be reported to a data protection authority and the potential fines are huge
7 more replies
It's been 30 days and I still haven't received the data
I responded to the ticket with this and blitzcrank bot showed up again
5 more replies
How will I know if my data got leaked?
Probability says it wasn't (based on the comments seen here), but I'd still like to be absolutely certain.
send in a support ticket and hope for the best
47 more replies
Incoming 100milion € fine for Rito
20 more replies
This is so severe, it should be stickied to the top of the subreddit so we can make sure Riot knows about it. None of our accounts are safe. Do we know this hasn't already happened before? Did someone malicious ever get another player's data and didn't let Riot know of their mistake, like OP did?
/u/Westbroke from the player support already replied here, so Riot knows for sure
1 more reply
File a formal complaint for breach of Data Protection
or demand infinite RP
this is the real answer.
This. Not reporting something like that is practically negligence on your side. This is a classic case of "business, not personal" and way too often people think they will let things slide when it's really not their job to decide how bad something is in the first place.
I mean, this isn't really that important, but if you work in a regulated environment of any kind and you let things go because "theyre nice" or something, you are throwing a huge wrench into the system and skewing all kinds of data. Single offenses like this rarely get punished, but if this is a commonplace thing and enough people are reporting it, Riot should be held accountable before we get to Sony levels of data insecurity.
lol that would fuck Riot up bigtime.. We still need Riot!
I think it's got more positive long term effects that it would have negatives.
19 more replies
2 more replies
Rito is on a roll today
Wonder how much that would be if Riot were found guilty and fined under the gdpr.
Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
Controllers and processors under Articles 8, 11, 25-39, 42, 43
Certification body under Articles 42, 43
Monitoring body under Article 41(4)
Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
The data subjects’ rights under Articles 12-22
The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49
Any obligations pursuant to Member State law adopted under Chapter IX
Any non-compliance with an order by a supervisory authority (83.6)
5 more replies
Please file a lawsuit. This is incredibly serious and the fact all they did is make a joke about it confirms they dont take this seriously and need to be forced to.
If what you're saying is true and the owner of that account is from the EU this is a major breach of the GDPR and you should probably contact the person whose information you received so they can take the necessary steps.
"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."
Who is the supervisory authority though
Who is the supervisory authority though
Usually the ICO. I can't help but ponder if their support operations for the EU hail from Dublin, which would make the ICO in this case the Data Protection Commission of Ireland.
1 more reply
How is this system not automated, can someone explain?
Small indie company
It probably is for the most part. When you handle shit tons of info from millions of customers, eventually you will run into edge cases that require human interaction. I can't think of a large company who doesn't have support staff on hand. In my company of 200 or so we have like 40 people dedicated just to support. My company's systems are widely automated, but people still slip through the cracks with stuff that really isn't easily automateable. For example we have had customers who legally only have 1 name. The system doesn't let them register so they have to call in to our support, provide proof, and get a manual override through registration.
Thanks for the explanation.
This is the right question
Its not because it is automated. You can request manual handling but thats an exception.
It is automated for fuck's sake
A small portion of requests are still manually done and subject to user error which was the case here.
They have to go collect your data from multiple places and probably compile it into the folder they send you, and reddit did a great job of getting a quarter of the playerbase to do it.
10 more replies
9 more replies
i got my account data today too , and mine is full of holes and incomplete information
asked rioter about this and he sent me some of the info but still this is not how it should be
2 more replies
I really disliked Riot's response to this blunder. It's too chill like it's no big deal. Guess what? It's a big deal- the implication is that my personal information could have been unwillingly disclosed, something so serious which I expect Riot to try to hide so as to save face ("it only happened once", "no one else was affected", i.e. generic claims/policies without supporting evidence). I wouldn't be surprised if some internal shake up occurs as a result of this incident: there are legal consequences.
Freaking out is the worst thing you can do in any situation. It is more appropriate to calmly assess the situation and do what needs to be done. The personal information that is given to league is information that is either useless, or for the most part easy to find, so no need to trump that up either.
What kind of information and if they are easy to find doesn't matter. It's about that it happen and it personal info and it's major fuck up and could cost riot a lot
Seriously I'm pissed that this happened, and I would support anyone who discovers that they are affected by it to pursue it further.
That said, this isn't a complete meltdown. It's negligence, and egregious at that. However, so long as there are not elements relevant to identity theft (SS# etc.) or money then we are not going off any cliff yet.
So many organizations and companies already have access to your i.p, birthday, etc.
That said, this isn't a complete meltdown. It's negligence, and egregious at that. However, so long as there are not elements relevant to identity theft (SS# etc.) or money then we are not going off any cliff yet.
Are you trying to imply that no elements relevant to identity theft were released? Because OP has, clearly, indicated DoB, IP address usage, email and phone number elements were disclosed. Of course, an identity thief could make use of more valuable personal details, but the disclosed information remains very relevant.
3 more replies
2 more replies
Personal information being unwillingly disclosed is something with legal consequences. It can lead to identity theft with relatively little effort (amongst other unwanted consequences), so it's surreal to say that personal information such as date of birth, IP addresses, email and phone number, among others, are useless or easy to find. Let me tell you that if you can find my email or phone number on the internet, it is not because I have willingly allowed it to be there (e.g. through signing of a contract or agreeing to ToS), but because of it being disclosed without my intention. One would expect that with the Facebook scandal in the past months, operations to ensure data privacy were being better respected.
2 more replies
How many years of only releasing Lux, Ahri and Mf skins will it take for Riot to compensate the huge loss that this could pose?
They'll probably give NA some compensation don't worry /s
ARURF for a day, that's a good compensation
Cancelling your ticket wouldn't protect your data from being shared with anyone else. It would just stop you from receiving someone else's data.
Balance team trying their hand at administration it seems
I've also reqested a human and got an email from them today, but in my situation i didin't have that problem.
pretty sure they had a year or two to prepare for it
Riot could easily end up losing 4% of their turnover due to GDPR violations.
and imagine if they fuck it up multiple times. Lets say 5x 4% of annual income. That would be devastating
Maybe they'd be motivated to get their shit together. Maybe.
Riot lawyers desperately DMing OP to try and appease him before he goes legal on them.
OP can't go legal on them, the person whose information was sent could.
Well OP can't sue i think but anyone can report this as a GDPR breach (I don't know if it is, and if it is, it seems to be a minor one) however if Riot thought it was a genuine GDPR breach they would probably report it to themselves.
1 more reply
This shit is more common than anybody would like to know. A lot of people in these jobs are entry-level meaning no prior experience and either right out of high school or college. A more serious example is what happened to me with my insurance company. They owed me money so they needed to send me a blank direct deposit form to fill out....they sent me one that had already been filled out by somebody else. It had their home address, bank account number, full name, social security number, company information including phone and address. If this mistake had been sent to an asshole, that person's life-savings would have been gone. I called the person and let them know that their information had been sent to me and possibly other people and to change their information as soon as possible
What server are you on?
GDPR violation notice in 3... 2... 1...
Lmao.
Soooo, about that new GDPR thing, riot..
What was it, up to 5% of revenue?
Hmm now I'm kinda worried because I made a request for my account data ages ago but never received it...Is it safe to assume someone else has my data??
1 more reply
"who has mine"
No one, necessarily.
Or loads of people, potentially.
Right. But that could be the case for any of us.
Adding "handle personal information" on the list of things Riot game cannot do properly.
Balance a single game intelligently
Successfully release game modes
Police the PBE's garbage userbase
Keep the personal information of users safe
Well done, maybe one day Riot will actually hire intelligent humans instead of baboons.
I doubt they will
3 more replies
A surprise to be sure and a very unwelcome one
On a serious note, this is very serious stuff. Imagining your data, IP, purchase history etc leaked given to someone else. These things could be exploited.
Riot fucking up everything as per usual.
Buying privacy $1
In Europe this could be an instant lawsuit...
I JUST requested it yesterday >.<
Same here... From now on like 14-15h ago
1 more reply
Too bad they didn't send my chat restriction shit to someone else.
I got my data correctly so its not the entire system that's broken at least. It was received about a week ago.
earlier today i saw a post on r/de of someone having the same issue with a german internet provider... unsafe times to be sure!
What's the point in hiding is name from the top but not from the bottom?
4 more replies
I just got mine today... kinda scary thinking that mine could have been sent to someone else
2 more replies
Does leave has any legitimate reasoning as to why they don’t have two factor authorization yet? It’s something so simple
i would personally take heavy legal action against riot if i were effected. that is un acceptable no matter how you look at it
Spoke seriously are PMing you to sell this dudes account data? That’s fucking ludicrous
That’s incredibly concerning. Wouldn’t this mean that it’s very possible that people who didn’t even request data packages have had their information wrongly distributed to someone across the world? Isn’t this a huge violation of the new privacy policy? The fact that they inserted a small joke about it and aren’t very apologetic in that response email speaks volumes.
This is very much not okay.
1 more reply
Literally same thing happened to me some time ago.
Did you get your account data? at the end and what was riot's response
Sorry for late reply just got off work, I never got my data since I didn't bother asking them again to correct the info they sent me.
smol indiana company
Classic Riot Games.
That could be my account...
or yours...
They said they didn’t send your data to someone else. Sure
Are you surprised there are idiots in the world?
Is this legal? giving away personal data from someone else...
EDIT: but i am sorry for the Rioter who did this mistake... sucks
Aside from the person whose data got leaked (which is horrible for them btw)
I feel really really bad for the rioter that actually made this mistake. You know, everyone can make a mistake, and it can happen quickly to mess up with two files. If they are made responsible for the (potential) lawsuit, it will basically end their life, because of one stupid mistake? It will definitely cost riot a ton of money if there is a lawsuit, and if the one rioter has to cover the cost... oh my lord...
This has nothing to do with the rioter who made the mistake as a proper cooperation riot should not have put an employee in the position to make a mistake like that. It's a cooperate fuck up not a personal one. Oh and the law is written so not a single person can make accountable it is always the cooperation or the rules inside the cooperation to make a plunder like this possible.
1 more reply
the weirdest part is that they sent you a zip file
What's the problem about a Zip file?
No company ever should send downloadable files or documents to customers, it's just normal policy. If theres typed information it should all be viewable withing the email. If there's downloadable content that's needed, there would be a link. Could have easily been a mock account with a zip full of viruses.
Not sure why i got down-voted just telling the truth
The file is directly linked through riot support. So unless riot is trying to put malware and shit on my pc I think it’s fine.
4 more replies
Google sends you all your information requested in a zip file. 100% nothing wrong with that.
1 more reply
219 more replies
1.6m
Subscribers
34.0k
Online
This is a subreddit devoted to League of Legends.
/r/leagueoflegends does not currently support the reddit redesign. Please go to your preferences, scroll to the bottom, and uncheck "use redesign as my default experience" to view this subreddit correctly.