Hijacking League of Legends Accounts

A tale of stealing from botters/boosters & their win-trading accounts

This material is for educational and research purposes only. Do not attempt to violate the law with any of the material contained here. Do not use this information maliciously. I can not be held responsible for any error or negligence derived therefrom, use at your own risk.

In this post, I'll show you how to rediscover the email of your 8-year-old RIOT account (which you obviously registered with a bullshit email). From a security perspective, ill paint an attack scenario demonstrating the risks of buying RIOT accounts & how someone with malicious intentions could go about hijacking it.

Since the dawn of time, the main way to obtain main and smurf accounts has been from boosting sites. These sites aren't safe. They're full of bugs and their DBs do leak every now and then. From some light scraping, I've identified over ~4ooo RIOT accounts leaked in the wild. Moreover, boosting/account-selling sites historically have really poor security postures. From my experience disclosing vulnerabilities to such sites, they often have a high volume of IDORs. For example, having the ability to see anyone's orders. Not good.

So don't buy accounts. However, if you have bought an account and don't remember the email it's associated with, you're in the shit.

Let's say a hacker has the credentials to the account you bought? What's the worst they can do? They can't change/know what the email is.

This is the attack scenario: I'm a bad guy and I've obtained your riot account credentials. Naturally, the first thing I'd try is to login to Riot's main webpage https://www.riotgames.com. Since the login is a username and password I don't know what email the account is bound to. My goal as a bad guy is to identify the email address associated with the account through Riot's ticketing systems and hope that the password of the account is being reused on the email.

Now, logged in with a hijacked account (I own all of these accounts personally) seen below, you'd want to head over to "Settings".

This will prompt the following window in which you will need to enter the password of the account once more. https://support-leagueoflegends.riotgames.com/hc/en-us/requests

Keep in mind that you need email access to properly perform account authentication to perform a full account takeover by accessing the accounts settings. Here is where you might hit a brick wall. If you're not redirected to the accounts settings page you'll be presented with the following image.

To obtain this code you'll need access to that account's email. Now like me if you've forgotten the email you used to register your account you're pissed off. To my knowledge, besides the way I'm about to show you I haven't found another way to disclose account emails (but I'm sure there are other ways). To obtain the account's email you will need to head over to https://support-leagueoflegends.riotgames.com/hc/en-us/requests. You won't need any 2FA checks or additional information past the username and password of the account.

There might be a chance that the account in question has old tickets dating from years back as seen below.

If not, you will need to create a "General Question" ticket. If you submit any other type of tickets such as a "Ban or Restriction" then that account will be locked by support as those processes seem to require a long list of additional identifying information. It genuinely doesn't matter what you ask here, the only goal is to have the account create a ticket.

Once you have a ticket created since they're using Zendesk simply open the ticket and view the source of the page. At the complete bottom, you'll find the email tied to that League of Legends account.

If you attempt to login to that account's email (depending on the email provider) with your email's password or perhaps the same password as the league account you might get lucky.

Now you have the verification code and you can reclaim control of your account. If you've done this for an account you don't own/created, congratulations, you're now a cyber criminal!

And that's how you go about re-obtaining full access to your league of legends account.

All vulnerabilities discovered in account boosting sites have been responsibly disclosed to the site owners and are remediated. Additionally, all screenshots are from accounts I personally created and own. This is simply to illustrate an attack scenario and to help you recover your account email should you ever happen to forget.

Lastly, this blog is a result of Riot Games suspending my GrandMaster account because I couldn't remember the email tied to that account. While submitting a support ticket to identify my account's email the account was suspended as I couldn't be vetted as the legitimate owner.