Just a few hours before Team SoloMid was set to take the stage at IEM San Jose on Dec. 6, the team’s website was defaced. What once was one of the most popular places to find guides for League of Legends champions was now replaced with a crude photoshop featuring an enlarged penis, a hedgehog, racist and homophobic slurs, and the hackers’ Twitter handles. (You can see the NSFW image here.)
“It literally took 30 seconds,” one of the hackers, who goes by the alias “Vinnie Omari” and still has access to the site’s servers, told the Daily Dot.
Omari says he wasn’t being malicious. He and a couple friends thought hacking one of the most popular League of Legends sites would be a hilarious way to get back at a “trolling group” they found on Facebook. The defacement also included the Facebook profile pictures of this group’s apparent members, as well as links to their profiles.
The explicit image, which Omari referred to as “his masterpiece,” was removed by SoloMid staff a little more than 20 minutes after it was posted.
The hack quickly gained notoriety on social media. Seemingly endless threads about it popped up on the r/leagueoflegends subreddit until they were ultimately removed by moderators. Community figures tweeted about the hack, all asking the same question: what happened?
Omari and his crew, who go by the name “Null Consolidated,” claim they had access to much more than SoloMid front page. Thousands of usernames and passwords were ready to be stolen, they allege. And getting in was easy. The account data had some basic encryption, but “nothing special.” Null Consolidated had the ability to create and edit any page they wanted—some of which have apparently gone unnoticed, as portions of the hack still remain on the site.
The group does not plan on releasing any account data. Omari did say, however, the site’s forum users should probably change their passwords.
“You never know who else is going to try what we did for the lols.”
In our first conversation on Dec. 6, Omari said he had no bad intentions, and planned to report his exploit to the SoloMid staff. He was, he said, an ethical hacker who always reported his exploits after a little bit of fun. On Dec. 22, however, Omari claimed in an email that he still had access to the SoloMid servers. He later proved this by editing a page on the site, which he passed along to the Daily Dot.
He said he no longer has plans to report the exploit. “I’m a little too busy [in real life],” he said.
And of course, he doesn’t get anything out of reporting the exploit. Team SoloMid hardly has the deep pockets of Riot Games, the League of Legends developer, whose “bug bounty” program rewards reporting exploits with hard cash. Omari claimed a friend recently received $7,500 for bringing an exploit to Riot’s attention.
“I mean we’re not hackers, we’re more on the security side,” Omari said. “This was just a little bit of grey hat fun.”
Andy “Reginald” Dinh, SoloMid’s owner, did not respond multiple requests for comment. Team SoloMid hasn’t commented on the matter and hasn’t publicly asked its users to change passwords following the breach.
Null Consolidated aren’t scared of any legal repercussions that could come from their exploits. Omari jokingly said the group hacks “butt naked,” meaning they don’t take any steps to cover up their tracks.
Team SoloMid’s weak security isn’t an anomaly among professional gaming websites, according to Omari. “The people running these big pro team websites such as Solomid, Curse and Dignitas are monkeys behind computers,” he said. “They don’t know anything.”
More hacks, in other words, may be coming.
Image via Team SoloMid/Twitter