Hijacking League of Legends Accounts

A tale of stealing from Chinese boosters & their win-trading accounts.

This material is for educational and research purposes only. Do not attempt to violate the law with any of the material contained here. Do not use this information maliciously. I can not be held responsible for any error or negligence derived therefrom, use at your own risk.

In this post I'm going to show you how to recover the email to your 8 year old League account that has a bullshit email and how someone with malicious intentions could go about hijacking your Riot account.

The main way to obtain accounts are from boosting sites or leaks. From some light scraping i've been able to identify over ~4ooo Riot accounts in the wild. However boosting sites can be quite fruitful due to their poor security and high volume of IDORs. For example, you use to be able to more-or-less see anyones orders. This is one of the many ways someone malicious can obtain a league of legends accounts.

Now you accounts credentials in hand you'll go ahead and sign into Riot's main webpage https://www.riotgames.com. Our goal is to identify the email address associated to our account through Riot's ticketing systems and hope that the password of the account is being reused on the email. Keep in mind that you need email access to properly perform account authentication and access the accounts settings. As seen below you'll need the generated security code.

Now that we've logged in as seen below you'll want to head over to "Settings".

This will prompt the following window in which you will need to enter the accounts password once more. https://support-leagueoflegends.riotgames.com/hc/en-us/requests

Here is where you might hit a brick wall. If you're not redirected to the accounts settings page you'll be presented with the following image.

To obtain this code you'll need access to that accounts email. If you forgot you'll have no way of knowing what email that account is tied too. Additionally,  the full email shown in the image above is truncated. To obtain the accounts email you will need to head over to https://support-leagueoflegends.riotgames.com/hc/en-us/requests. You wont need any 2FA checks or additional information past the accounts username and password.

There might be a chance that the account in question has old tickets dating from years back as seen below.

If not, you will need to create a "General Question" ticket. If you submit any other type of ticket such as a "Ban or Restriction" then that account will be locked by support as those processes seem to require a long list of additional identifying information. It genuinely doesn't matter what you ask here, the only goal is to have the account create a ticket.

Once you have a ticket created, since they're using Zendesk simply open the ticket and view the source of the page. At the complete bottom you'll find the email tide to that League of Legends account.

And now if you attempt to login to that accounts email (depending on the email provider) with your emails password or perhaps the same password as the league account you might be surprised with the result's.

And thats how you go about re-obtaining full access to your league of legends account.

All vulnerabilities discovered in account boosting sites have been responsibly disclosed to the site owners and are remediated. Additionally, all screenshots are from accounts I personally created and own. This is simply to illustrate an attack scenario and to help you recover your account email should you ever happen to forget.

Lastly, this blog is a result of Riot Games suspending my GrandMaster account because I couldn't remember the email tied to that account. While submitting a support ticket to identify my accounts email the account was suspended as I couldn't be vetted as the legitimate owner.