Divine Skins Breach Exposes Over 105K User Accounts

Overview

In March 2026, Divine Skins, a third-party service offering custom skins for League of Legends, suffered a data breach that exposed 105,814 accounts. The incident was disclosed via the service’s Discord server, where Divine Skins stated that an unauthorized third party accessed part of its systems, deleted all skins from the database, and exposed user email addresses, usernames, and names. The breach has been reported to Have I Been Pwned (HIBP), allowing affected users to verify their exposure. While no financial data or passwords were confirmed compromised, the exposure of email addresses and usernames creates real risks for account takeover and phishing attacks.

What Was Exposed

The breach exposed three data types: email addresses, usernames, and names.

• Email addresses are the most immediately actionable - attackers can use them for targeted phishing campaigns, social engineering, or to test against other services in credential-stuffing attacks.
• Usernames, combined with game-related email addresses, can help attackers build detailed profiles for impersonation or harassment within gaming communities.
• Names alone are low risk, but in combination with the other data, they make phishing messages more convincing.

Critically, no passwords, payment card data, or financial information were included in this breach. That limits the direct risk of account takeover on Divine Skins itself - but it does not eliminate the danger.

Account Takeover Risks

While passwords were not exposed, the email addresses and usernames are prime fodder for credential-stuffing attacks. Many users reuse passwords across multiple services, including gaming platforms like Riot Games (the developer of League of Legends). Attackers can take the exposed email addresses and try common passwords or credentials leaked from older breaches against Riot’s login system.

If you used the same password on Divine Skins that you use on League of Legends, your game account could be compromised - even though Divine Skins itself didn’t leak passwords. Attackers can also use the email addresses to attempt password resets on other accounts, especially if your security questions are weak or your email account itself is not protected by two-factor authentication.

What to Do Right Now

1. Change your passwords - especially on any account where you reused the same password used on Divine Skins. If you have a Riot Games account, change that password immediately.
2. Enable two-factor authentication (2FA) on your Riot Games account and on your email account. This adds a layer of protection even if your email address is compromised.
3. Watch for phishing emails - attackers may send emails pretending to be from Divine Skins or Riot Games, asking you to “verify your account” or “claim a free skin.” Do not click links in unsolicited emails.
4. Never reuse passwords - use a password manager to generate unique passwords for each service. Check if your credentials appear in other breaches by searching Have I Been Pwned.
5. Delete your Divine Skins account if possible, or at least remove any stored payment information.

How to Check If You’re Affected

You can check if your data was exposed in this breach by visiting Have I Been Pwned and entering your email address. HIBP will tell you whether your email appears in the Divine Skins breach data. If it does, follow the remediation steps above.

For broader context on similar gaming-related data breaches, see our cybersecurity news coverage of credential-stuffing trends in the gaming industry.

Security Insight

This breach highlights a persistent vulnerability in third-party gaming services: they often operate with minimal security resources, yet hold data that can compromise users’ main game accounts. Divine Skins’ disclosure via Discord - without a public email notification or website banner - reflects a casual security culture that leaves users unaware of exposure. Compared to larger gaming breaches like the 2024 Riot Games leak CVE-2024-22718, this incident is smaller in scale but reveals the same lesson: any service that stores your email and username is a potential stepping stone to account takeover on the platform you actually care about.

Further Reading

• All Medium Breaches
• Recent Data Breaches