Full Report
In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email addresses and usernames. The data also contained a history of purchases made by users.
Analysis Summary
# Incident Report: Divine Skins Database Breach and Data Exfiltration
## Executive Summary
In March 2026, the League of Legends custom skin provider Divine Skins experienced a significant data breach involving an unauthorized third party. The attacker successfully gained access to the service's systems, exfiltrated the personal data of over 105,000 users, and deleted the primary skin database. The incident resulted in the exposure of sensitive user information and significant operational disruption.
## Incident Details
- **Discovery Date:** March 2026
- **Incident Date:** March 2026
- **Affected Organization:** Divine Skins
- **Sector:** Gaming / Digital Assets
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Unauthorized system access (Specific entry point undisclosed)
- **Details:** An unauthorized third party bypassed security controls to access internal systems.
### Lateral Movement
- **Details:** The attacker moved from initial access points to the primary database servers hosting user information and digital assets (skins).
### Data Exfiltration/Impact
- **Data Stolen:** Email addresses, usernames, and purchase histories for 105,800 accounts.
- **Destructive Activity:** The attacker deleted the entire "skins" database, removing the service's core product offerings.
### Detection & Response
- **Detection:** Likely discovered via system failure (missing database) or internal monitoring.
- **Response actions taken:** The organization issued a public disclosure via their official Discord server to alert the community.
## Attack Methodology
- **Initial Access:** Unauthorized access to system infrastructure.
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Likely achieved administrative rights over the database to execute deletion commands.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Not disclosed.
- **Discovery:** Mapping of database structures and user tables.
- **Lateral Movement:** Movement from web/application tier to database tier.
- **Collection:** Target focused on user PII (Personally Identifiable Information) and financial history.
- **Exfiltration:** Transfer of user records to an external location.
- **Impact:** Administrative deletion of the skins database (Data Destruction).
## Impact Assessment
- **Financial:** Loss of purchase records and potential refund liabilities; cost of infrastructure recovery.
- **Data Breach:** Exposure of 105,800 records containing email addresses and usernames.
- **Operational:** Total service disruption due to the deletion of the primary skin database.
- **Reputational:** Public disclosure required on Discord; loss of user trust regarding the security of purchase histories.
## Indicators of Compromise
- **Network indicators:** N/A - Not disclosed in the public statement.
- **File indicators:** N/A - Not disclosed.
- **Behavioral indicators:** Unusual administrative commands originating from external or unauthorized internal IPs; massive database "DROP" or "DELETE" commands.
## Response Actions
- **Containment measures:** Disclosure to users via Discord to prevent further phishing attacks.
- **Eradication steps:** Clearing unauthorized access tokens and securing system entry points.
- **Recovery actions:** Advised users to change passwords and enable Two-Factor Authentication (2FA).
## Lessons Learned
- **Key takeaways:** Lack of database redundancy or "soft-delete" features allowed for total data loss of the skin inventory.
- **What could have been done better:** Implementation of more rigorous access controls (MFA for database admin) and off-site, immutable backups to prevent total loss from data deletion.
## Recommendations
- **Access Management:** Implement Multi-Factor Authentication (MFA) across all administrative panels and server access points.
- **Data Protection:** Maintain encrypted, air-gapped backups of all databases to facilitate rapid recovery after a destructive attack.
- **Least Privilege:** Enforce the Principle of Least Privilege (PoLP) for database service accounts to prevent broad deletion capabilities.
- **Monitoring:** Deploy File Integrity Monitoring (FIM) and database activity monitoring to alert on bulk data exports or deletions.