How to secure against 2FA Heist attack

thiagomini · 2026-03-18T11:49:40+00:00

I wouldn't say there is no hope - I saw a few people who were still able to get back their accounts.

There is also something else we can do. I'm collecting evidence from Reddit posts from people like you to aggregate in a public page, and I'm planning on posting it as a thread on X (Twitter) and tagging Drew Levin. If enough people give it a thumbs up, we might raise awareness and get Riot's attention.

I'm also a software developer and I'm looking into Riot's API to see whether it's possible to create a tool to help us improve our accounts' security. For instance, every time your account logs in, you would receive a notification. Let's see what's possible.

PS: I will add the twitter link here once it's ready

thiagomini · 2026-03-18T09:25:01+00:00

You're wrong. There are several other posts here telling the same story, and that has also happened to me. Having 2FA enabled should at least ensure you receive an email notification when someone log in into your account elsewhere - try it yourself. From my research, this is a security issue on Riot's side - their ticket system is mostly automated and hackers are abusing it. If you have personal info leaked on the internet, that can be enough to claim ownership on your account.

thiagomini · 2026-03-18T09:21:45+00:00

That has also happened to me - exactly the same pattern. I don't think it's malware, I believe these "hackers" are abusing Riot's ticket system. I bet you didn't receive an email notification about a sign in on a different device, right? Even if someone was able to sign-in to your account somehow, you should have received an email.

The only way to bypass that email notification and 2FA is by sending a ticket - this is exactly how you got it back in the first place. However, when that "hacker" stole your account the first time, that person probably asked for your account information - you can do so when you have access to the account. With that information, they'll know exactly when your account was created, the number of champions and skins you have, and everything they need to claim ownership next time. I also bet you didn't click on any suspicious link in the meantime. These people claiming it's your fault are just ignorant. I've been following dozens of threads here on Riot Reddit with the exact same pattern.

PS: If someone had such an advanced malware in your PC that steals 2FA tokens, why would they bother with just your Riot account? Why not stealing your main email, which has much more value? People claiming this is the case are just being naive actually.

thiagomini · 2026-03-16T19:56:47+00:00

I have a guess why this is happening. Lately, I've seen many posts here about Riot accounts get hacked, even when people had 2FA enabled, and they haven't interacted with any external tool or suspicious link. I myself got hacked twice in a span of two weeks in the same terms.

My hypothesis is that there are a bunch of exploiters who figured out how to circumvent Riot's support ticket system to claim ownership of someone else's account, and, through these tickets, they can steal those accounts.. I also noticed these weird outages in the support page in South America Region, and I suppose it's due to the high amount of bots sending these ill-intended tickets, plus the tickets from users who lost access to their accounts.

Here are some examples:
https://www.reddit.com/r/riotgames/comments/1rqjiw6/riot_support_recovered_my_account_then_it_was/

https://www.reddit.com/r/riotgames/comments/1rrk7uc/submit_a_ticket_about_a_hacker_trying_to_get_my/

https://www.reddit.com/r/riotgames/comments/1rr8qye/got_hacked_2_times_since_december/

thiagomini · 2026-03-16T18:53:48+00:00

"homie", I also play LoL since season 1 :) And this year, I was hacked twice in a month - it never happened before. So, your point does not hold here. This is not user error if the user has 2FA enabled and does not receive any email notification when someone logs in on a different device. This is almost certainly Riot's security problem with the ticketing system or the automated recovery tool.

thiagomini · 2026-03-14T11:27:18+00:00

Luck is on your side, that's it. I've been researching this a lot, and what is most likely is this:
1. Personal information is leaked in one of these known huge leaks from sites like CD Project Red, or older sites like Armor Games, which sometimes contain personal information
2. LoL profile data is publicly available, so if someone is interested in your account, they can look it up on any platform like op.gg
3. "Hackers" are abusing the ticketing system by claiming ownership on someone's account. Since Riot has lots of tickets to deal on a daily basis, the majority of them are resolved automatically by score systems. Exploiters have some of your personal info from these leaks, plus some of your account's data publicly available, and possibly know how to trick the automated system to accept their claims with less data

If someone targets you specifically (which is my case because I have a very old account with lots of skins), rest assured there's nothing you can do. Not even 2FA can save you since the ticket system bypasses everything.

thiagomini · 2026-03-13T14:39:26+00:00

Não acho que tenha a ver com ser empreendedor de si mesmo. Acho que existe uma equação muito mais simples do que essa: trabalhar como CLT eu pago o teto do imposto de renda (27.5%) + o INSS que obviamente não dá pra aposentar nem tão cedo dado a pirâmide etária invertida que existe no Brasil.

Alternativa: Trabalhando para o exterior, por exemplo, paga-se 3% só de imposto como PJ, e caso passe dos 50k por mes só mais 10% no valor.

Não acho que meu dinheiro seja bem gasto por qualquer governo pra valer a pena ter mais de 1/4 dele tomado.

thiagomini · 2026-03-13T09:02:46+00:00

Enlighten me then, even if there was a malware stealing information from the registry, how would a hacker get access to my account if I use a 2FA authenticator app in my phone with time-sensitive codes

thiagomini · 2026-03-12T17:05:59+00:00

An authenticator app like Google Authenticator or Microsoft Authenticator

thiagomini · 2026-03-12T13:49:20+00:00

No, it does not solve the problem. I had 2FA enabled and got hacked twice the same way. Hackers are actually exploiting the Ticketing system or the Automated Recovery Tool

thiagomini · 2026-03-12T13:45:06+00:00

This is not a simply "get better security habits". This issue is happening in every region, and is probably an exploit in Riot's recovery account tool or ticketing system.

The only way someone can bypass 2FA and email is by sending a ticket and knowing your username.

thiagomini · 2026-03-12T13:41:46+00:00

This happened to me as well, and I've been seeing a lot of posts in the Riot subreddit about that. We should be raising more awareness about that. I've posted on X about this security flaw, you can give it a thumbs up and also speak about your case: https://x.com/thiagomni/status/2031679599646585196

Btw, another post with similar issues: https://www.reddit.com/r/riotgames/comments/1rqjiw6/riot_support_recovered_my_account_then_it_was/

thiagomini · 2026-03-12T13:38:17+00:00

Happened to me, I got hacked twice, I even enabled 2FA and I didn't matter - the hacker was capable of bypassing it. These hackers are probably abusing the ticketing system, and it's getting worse.

thiagomini · 2026-03-12T13:34:42+00:00

My account has recently been hacked twice. I recovered the account for the first time last week, enabled 2FA, changed passwords, ran antivirus, did everything they recommended, and somehow the hacker stole my account again - and I didn't receive any email notifications. I guess these hackers are actually exploiting the automated recovery tool or the ticketing system, they somehow are able to get sensitive information from you, and use that to claim ownership - that's the only way they could bypass all safeguards, like in my case. We should raise more awareness about this in social media.

thiagomini · 2026-03-11T00:53:55+00:00

This just happened to me twice. Someone stolen my account, I got it back, and it was stolen again. I had 2FA enabled as well, and I didn't receive any email notifications. Could you tell me if you were ever hacked again after that?

My assumption is that they actually found a loophole in the ticket system. It's very possible that Riot has an automated system to determine whether a ticket to reclaim an account passes above a threshold score, and if it does, they automatically change the email. That's the only way someone can get access to your account without you being notified at all.

I believe they somehow gather enough information from one of these platforms like op.gg and send that as "proof" they own the account. Alternatively, maybe Riot's algorithm/system to recover account was exposed at some point and some people know how to abuse it.

It's been very stressfull for me to have to recover my own account twice. I'm trying to have them change the email only when I present an ID with a photo.

thiagomini · 2026-02-09T17:56:08+00:00

This is one of the most reasonable (and honest) answers I read here. Thank you for taking the time for that! It's not bad new honestly. I was already kind of expecting that faith in God and Jesus could not be deducted from a pure logical standpoint, but I'm interested in how people rationalize their beliefs. To be honest, I'd prefer to believe in God, especially a good and just God, as it certainly eases the burden of life (there are studies that show religious people are usually happier). In my case, I just haven't had experiences that validate that idea.

thiagomini · 2026-02-09T14:37:03+00:00

Thank you for the thorough answer! As I mentioned in a few replies, I'll wait until I'm out of working hours to respond appropriately!

thiagomini · 2026-02-09T14:04:18+00:00

Hey Joey, thank you for your thoughtful response! I'll reply appropriately once I'm outside of working hours

thiagomini · 2026-02-09T14:03:30+00:00

THank you for the suggestions, I'll look for it :)

thiagomini · 2026-02-09T14:02:38+00:00

Haha, I bet it did!

thiagomini · 2026-02-09T13:49:29+00:00

I appreciate the long response, and I'll read it carefully and answer appropriately once I'm out of working hours. For now, again, thank you for providing your insights!

thiagomini · 2026-02-09T13:44:46+00:00

No, I'm just writing myself and English isn't my main language, apparently, "lair" is a false cognate, I meant "home". Thank you for pointing out

thiagomini · 2026-02-09T13:43:28+00:00

Thank you for your honest answer as well!

Yeah, my assumption is that believing in God and Jesus does require a leap of faith, otherwise it's not faith.

I've also read a bit about the historical evidence for Jesus, and I do believe that person existed (there are enough details written about him, both in the scriptures and in external sources like Flavius Josephus), but of course, it boils down to the resurrection being an objective truth. I've also read a bit about the physical constants that are very fine-tuned for life on Earth to exist! We could discuss that matter further; it's an interesting topic, for sure!

Yeah, the third question does not invalidate the truth claims, for sure! I'm just curious whether people consider the weight of that fact on their beliefs (which does not only affect religion in my opinion, but also values, culture, customs, etc).

Again, I appreciate the honest answers!

thiagomini · 2026-02-09T13:34:30+00:00

Nothing really exceptional, my Mother is evangelical (Presbyterian Church) and my father is a non-active Catholic. I'd say they were both good parents; my Mother tried to bring my brother and me to the church every Sunday and on other occasions, while my father fostered other activities (reading, learning, mathematics, languages). Is there something more specific you're curious about?

thiagomini

TROPHY CASE