According to the site Have I Been Pwned?, over 1.1 million LOTRO accounts were breached in 2013. According to the site, the data compromised includes: dates of birth, passwords, email addresses, usernames, IP addresses and web activity.
After being tipped by a player, LOTRO Players has been looking into this issue. We currently can not find any acknowledgement made by Turbine that their accounts were breached in 2013. Nor can we find any warning made by the company to players about the possibility of a breach in 2013.
LOTRO Players has reached out to Turbine for a statement.
There is a forum thread on the issue. Players there seem to disagree on the validity of the breach. The players who think the statement by Have I Been Pwned? is true are upset at Turbine for not notifying them of the possible breach.
Regardless of if the breach is legitimate, it is always a good idea to change passwords on a regular basis.
For more tips on account security, you can listen to the security episode of LOTRO Academy here.
Update: Some players have suggested that this possible hack is actually the 2011 hack that was talked about by Turbine at the time. However, some players who have checked their email on the site, which says they have been hacked, contacted LOTRO Players saying that their accounts were created after 2011 and therefore could not have been in the 2011 hack.
It seems likely to me that this data was actually from the forum software breach in October 2011, which Turbine notified us about. (That description matches exactly what was contained in the forum’s user database at the time.) It’s possible the compromised information just wasn’t posted publicly on the internet until 2013.
Looking at the site it is not just LOTRO Accounts but also DDO Accounts, 1.6 million in April 2013.
https://haveibeenpwned.com/PwnedWebsites#DDO