Original Post — Direct link

My roommate and I were about to play when he asked me why I was in game already. Super confused, I logged into my account and it immediately tried to load a game, but couldn’t. We checked match history and they had been playing for 10 hours, won every single game on support without duo. But their score didn’t seem insane enough to be smurfing.

I changed my password and kicked the guy off with Riot’s help, but what was his goal? All my RP is in touch. He just gave me LP.

External link →
24 days ago - /u/riotdanhonks - Direct link

This typically happens because your account has been sold without you realizing it. Attackers will grab username and password lists found on the internet and use it to log into League. Sometimes the person buying the account is a little too invested in playing and won't change the password right away (and, if you have a verified email, they can't), and this situation happens.

Any account they get a successful "hit" on, they will note down what that account has, and will then either list it on a website or (more typically) send an announcement on a Discord channel that is filled with people waiting to buy accounts.

The upshot of this is that your username and password is compromised; you probably re-used an old username and password from a website that got hacked. This is very common. You should consider checking out https://haveibeenpwned.com, and more immediately, changing your password and enabling multi-factor authentication on League. Make sure that your email also has a different password to your League account, and ideally has multi-factor authentication on too. You'll get some goodies across all of our games for enabling MFA.

This actually happened to me in 2016. I settled down to have a nice bath after my first week in Los Angeles at Riot, and I got a notification that someone was submitting player support tickets asking for player support to "reset my work email password because I forgot it".

Just so I don't get accused of being too cavalier about this: We continue to investigate ways to better protect players against attackers, but unfortunately, as long as we use usernames and passwords, this is a possibility :(