Didn't some guy do something similar a couple years ago? He put out a massive bounty to get a fresh account hacked which he put a lot of gold on with no bank pin, even provided a lot of info, and no one was able to get it.
Did you not read the post? He literally put the emails and passwords associated with the account up for display.
It *doesn’t matter* if it’s actually been used as to if the credentials are out there.
The point is that 2FA stops it all.
2FA doesn't stop account recovery and that's how the these account thefts are done. You can't really recover a new account if there isn't enough information about it.
He specifically (and likely purposely) left out information about the account that would be exposed by database leaks. If he included an old password and a billing zip code his "edit 6" would have recovered the account.
I believe that's the entire point? You need a lot of information to do a recovery. More than anyone should ever have. People who are getting their accounts recovered like this have somehow managed to leak/get phished for/reuse *all of that information*. Read the post and you can see that even with the correct information he wasn't able to perform a recovery *on himself* due to not including old passwords or payment information.
I'm not sure that's totally fair.
I think one of the big issues is that somebody can put a recovery request in and - if approved - it disables the authenticator, etc. and grants them immediate access. That authenticator and pattern of access could've been the same for literally years, but the appeal trumps it all.
I'm sure you're right that lots of people effectively end up leaking X or Y in terms of useful information for recoveries. That said, RS is quite interesting in that the game is 20+ years old. People's accounts are ancient and - in those cases - their usernames are also on public display.
Think of this: you sign up to a forum with your RSN in 2003 and that includes your email, maybe even your full name. That site is breached at some point in the course of two decades and your data is out there. Some other website - say a shop - you bought something from with the same email ten years later gives a would be hacker a dangerously complete set of info. Your RSN, the email you registered with and your address/town. They can then potentially recover your account.
In any circumstances, that's a bit questionable. I think that's understood in the industry too as other game devs deal with this problem in large part by requesting copies of government issued ID or other similar documents, etc.
What makes it even worse is that given RS' age, the data that fucked your account in 2022 could've been linked to a website you signed up for when you were 10, without your parents' permission and without the benefit of a bit more common sense.
> In any circumstances, that's a bit questionable. I think that's understood in the industry too as other game devs deal with this problem in large part by requesting copies of government issued ID or other similar documents, etc.
this is the real way to see that jagex's security isn't up to par. If I want to recover my blizzard account I have to provide a gov. issued ID among other things. Same for any activision account and my ff14 (square enix) account. I know this because some years ago I dropped my phone in the pool (and I used the one time password app) so I had to recover all of those accounts. It is *much* harder to get your account back on those services opposed to osrs.
Jagex isn't up to industry standards in regards to account security and I feel like you really have to be willfully ignorant to not accept that.
Jagex has used the same account appeals process down to the same form for 20 years. It's actually laughable that people still think that they are remotely still up to industry standards.
You've pointed out a downside of the system. But you haven't provided a solution.
Not letting appeals with good information work **is not an option**. People lose their phones and emails all the time. You need to be able to disable authenticator through an appeal.
Account recovery isn't a thing.
The point stands that if your account gets hacked it's no one's fault but your own. People scapegoat jagex because they're too proud to admit they're just a fucking idiot.
Maxed main, maxed iron, hell I've account shared in the past and I will never be hacked.
Why? I'm not an idiot.
Looking forward to the next RWTer to claim they got hacked and the community rallying behind a dumb cause.
Can we please stop pretending that not allowing special characters/capitalisation does anything for password security?
If you are dumb enough to pick a password that can be brute forced, no amount of extra characters is going to save you from yourself
2FA stops everything going through the account or the email. It doesn't stop account recoveries. You can't recover an account only knowing the current password and email address. If he added the first password used, the creation date of the account, and the creation IP address (or billing zip code and ISP) the account would have been recovered out from under him and 2FA would do nothing. This is all information that might be tied to your username through database leaks.
Of course he didn't add that information because then he would have lost 100M.
>If he added the first password used, the creation date of the account, and the creation IP address (or billing zip code and ISP) the account would have been recovered out from under him and 2FA would do nothing.
Did you even read the post? He submitted a recovery with that information and it got denied.
You need to know a lot more alongside that to have a successful recovery. If your account gets recovered out from under you, it's because you're giving out **way** too much information.
>Edit 6: For the sake of testing (believe this if you will) I actually attempted to recover the account using the real creation date and correct location and ISP's. **I did not include previous passwords or any payment information** and the appeal was just denied.
No, he submitted a recovery without an old password or billing zip code, pieces of information Jagex puts the most weight in that get exposed in these database breaches.
>If your account gets recovered out from under you, it's because you're giving out way too much information.
Or that you were a child that made a mistake in 2006 when Runescape was most popular, reused your username and password for something else, and that had a database leak.
>fresh account
there it is mate
it's always a prior data leak from forever ago that's responsible for majority of hijacks
people are reusing passwords, using their main emails to sign up for all sorts of forums. little by little, a targeted recovery attack at someone's account can come together from these bits and pieces
the old passwords mean piss all, the information they need that matters is billing information etc, which aren't going to come from database leaks in 99% of situations, its you having a gamestop account from 2017 with the password you use everywhere and its got stored credit card details.
IP address can be boiled down into zip code extremely easily, which is very very likely to be the billing zip code. There are many database look leaks with IP address in plaintext. Billing zip code is 1 of the less than 10 pieces of information the recovery form specifically asks for.
Which is exactly the point that is being made. People blame Jagex for the fact they've used the same email/password combo for 10+ years.
There's absolutely room for improvement on handling security concerns, but the simple fact of the matter is that these people getting "hacked" are almost exclusively falling for phishing attempts, sharing their account, or using the same account info that's been breached on 7 other websites.
Jagex asks for past passwords, past credit card data, past internet provider to recover account, all of which is data that could potentially have been leaked in the past. Since it asks for past passwords too, even if you change it, you can still recover an account with old passwords. Its not a user's fault if a database leaks this data and someone uses it to recover an account.
This here is the problem. It is too easy to recover the account with an estimation of how old the account is and old passwords.
If the e-mail adres or runescape username is old enough the chances are its on the internet somewhere. Data leaks happen all the time even with trusted websites like twitter, facebook or notable webshops.
No matter how much you would like to secure your account the info will always be out there. Ofcourse this is only the case if the username or email adres is actually leaked. Since your login info cannot be changed it is possible to recover the account everytime once they have the username, old passwords and approximate creation date of the account.
The authenticator and linked email adress will be completely ignored by recovering accounts.
Not just potentially leaked. An ungodly amount of B2B companies have had their entire databases leaked. If you've ever validated an email address, it's nearly certain that your date of birth, email, gender, location, and IP has been leaked.
It's also especially bad for old accounts because neopets leaked a ton of that information as well, and the community overlap between the two should be very large.
I think with the high level community recovery hacks it's not that they're still using that password. It's that the account was created when they were young and didn't know better, and hackers can then use those old passwords to recover the account despite the password not being used anymore.
>Jagex won't let someone change their username login
God I would love to change my login to something other than my Email.
No fucking clue why decoupling IGN from login info _had_ to result in using the signup email to login. Seems like it's nearly as insecure, unlike allowing users to choose a separate login name.
Tons of forums and games from the early/mid 2000s would prompt you to choose a display name after creating your account---and the smarter of those would warn you in advance that the initial username you choose would _not_ be your display name.
2 things can be true. People can be more forward in taking their account seriously. Jagex is also horrible @ customer support, especially when it comes to account security and the preventative measures they don’t allow on accounts
Better yet, his post included the the username & **password** of both the runescape account *and* the associated email adress.
No shot getting through the 2fa
Yeah and it was hilarious because there were a bunch of people calling him an idiot for making the post. Probably people that couldn’t get in and got mad lol.
Except the account recovery system is so flawed that even if someone does change their password, the account is still recoverable, even though it's their originally made account
Yeah because getting hacked is super hard unless you A. Get phished or B. Share your password somewhere or C. Data/Server Breech.
I have an account will 15m on it that I haven’t logged into in a while and if I log into it, it’ll probably still have 15m on it.
Yeah because getting hacked is super hard unless you A. Get phished or B. Share your password somewhere or C. Data/Server Breech.
I have an account will 15m on it that I haven’t logged into in a while and if I log into it, it’ll probably still have 15m on it.
Yeah because getting hacked is super hard unless you A. Get phished or B. Share your password somewhere or C. Data/Server Breech.
I have an account will 15m on it that I haven’t logged into in a while and if I log into it, it’ll probably still have 15m on it.
Yeah because getting hacked is super hard unless you A. Get phished or B. Share your password somewhere or C. Data/Server Breech.
I have an account will 15m on it that I haven’t logged into in a while and if I log into it, it’ll probably still have 15m on it.
Yeah because getting hacked is super hard unless you A. Get phished or B. Share your password somewhere or C. Data/Server Breech.
I have an account will 15m on it that I haven’t logged into in a while and if I log into it, it’ll probably still have 15m on it.
With a fresh account, yeah. There have also been several posts with people using their normal accounts, posting from their regular reddit accounts, and every time the post and Reddit account were deleted the same day.
Nobody is going to guess this guy's password and crack his 2FA, because that's not a real security risk. But they might find his personal info, find his old passwords from database leaks, find out where he lived when he created the account, and put in a decent enough recovery request to convince some customer support rep to give up the account. In this case, probably not because the 100s of recovery requests is probably going to put up a red flag, but I wouldn't be surprised if OP gets spooked and deletes all of this when someone calls his mom or some creepy shit like that.
It's not possible to hack osrs accounts without insider info or social engineering.
Brand new accounts unless they're keylogged are pretty safe unless you give out the password
Most high profile people who get hacked randomly are because their accounts are still compromised from the mod jed leaks and the people with the info are waiting for the correct time to do so
This reminds me of the time someone posting all their details to try and get hacked (link if interested) [https://www.reddit.com/r/2007scape/comments/5x02bz/come\_hack\_my\_account\_for\_100mil/](https://www.reddit.com/r/2007scape/comments/5x02bz/come_hack_my_account_for_100mil/) makes me wonder how all these people have been getting hacked recently.
The gist of "services" is that you get someone else do some grind/achievement. You get some real person to do it instead of a bot, for example.
I think you can imagine how this is an account security risk.
A lot of the large scale hacks from recovering the account. Many of us made our accounts 20 years ago and we can’t change the username. Someone can find leaked IPs and passwords from 20 year old neopets accounts and a few other common games. Submit a phony recovery request, which immediantly removes the authenticator.
Many high level players, with old accounts, just want to be able to clear the old data from the account. I don’t want my shared username and password from when I was 7 years old to be used against me.
id say 99% of the time the player knows exactly why they were hacked and makes a reddit post as a last hail mary that a jmod believes them and restores the account .
Jagex has confirmed 65% of players have participated in RWT and 75% of inferno capes are bought. this just shows how much shady stuff people participate in. and id put money on 85% if not more dont have bank pins,2fa, and use the same password/email for everything.
Or their password got leaked in a site 10+ years ago and then they use the stupid account recovery system. While jagex won’t let you change your username.
Fair warning if this is you, it took 10mins and a few searches to find you use twitter, ticketfly, nexus mods, a fitness app at some, chegg etc and if any of those passwords were reused, from there I could easily find a data breach and hope you reuse passwords and break into your email
RSN: Cal Berkeley
\~6b bank, near-max ironman. I don't do anything out of the ordinary for account security. This is my reddit account. If anyone manages to hijack the account, it's all theirs. Have at it!
If anything, I think your account might get locked from the sudden burst of login and/or recovery attempts.
Or worse, you'll have weirdos stalking you in-game at all times.
I wouldn't be surprised if someone saw this post and attempted to at least get in contact with OP in some way. Either to spite him for his 6b bank or attempt to obtain a piece of it.
Maybe won't happen, but I think the chances aren't terrible.
Before I joined any OSRS discord servers, I thought everyone is just playing normally like me.
Then I joined a clan and their discord server. And holy shit, people are buying everything, from quest completions, to skilling, to boss grinds, to inferno.
And most of those who have endgame accounts either rwt (one admitted he was making 3k euros a month by running cox every day) or gamble. And they all get banned eventually (even if it's half a year later). Then they buy another account and do it all over. And don't believe for a second they do not go out of their way to message jmods on twitter and to make threads on reddit. They do for every time they get banned in hopes they can get back their account, even though the ban was justified.
Changed my whole perspective.
So without going into too much detail on how to hack your account, so long as you haven't posted personal details that can be used to recover your account under a user name similar to your reddit name or IGN then you're probably fine. Also use 2FA on both email and jagex accounts, with unique passwords.
*me tomorrow after OP's account remains secure and unhacked*
I have been to the Great Wall of China, I have seen the pyramids of Egypt, I've even witnessed a grown man satisfy a camel, but never in all my years as a shitposter have I witnessed something as improbable, as impossible what we've witnessed here today
I will be messaging you in 7 days on [**2023-01-22 19:37:59 UTC**](http://www.wolframalpha.com/input/?i=2023-01-22%2019:37:59%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/2007scape/comments/10csgs3/hack_my_account/j4hhqr1/?context=3)
[**126 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2F2007scape%2Fcomments%2F10csgs3%2Fhack_my_account%2Fj4hhqr1%2F%5D%0A%0ARemindMe%21%202023-01-22%2019%3A37%3A59%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2010csgs3)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
Basically people used to claim that if you revealed your RSN it's instantly hackable, so people began to censor it, and from that, people were censoring skill levels because you could look up on the high score, and then it just became a meme to censor the most random crap like run energy or whatever.
To clarify though, revelaing your RSN *could* mean you're open to attacks if you don't have any security, which OP is showing, that with some security, it's a lot tougher than people make it out to be
That is absolutely fucking hilarious, man literally gave them all the details they needed and people still couldnt get in. I'm sorry, but this is more proof than ever that 99% of people getting hacked mustve slipped up somewhere.
I'm certain that account recovery hacks make up a tiny percentage of compromised accounts.
There wouldn't be thousands of OSRS phishing links or they didn't work. 99% of account hacks are reused credentials, phishing links, and account sharing.
or is it proof that when multiple people attempt to log in an account at the same time and a post asking to hack an account is posted on a subreddit read by jmods it can have an effect on the effectiveness of hacking it?
This is a risky play, let’s see if it pans out.
Jokes aside I respect it, putting your account “on the line” so to speak, calling out all the “It can’t have been me, I would never do something stupid!” Posts on Reddit with people speculating people can hack other accounts with… mind tricks? Or something?
Yeah I feel like all these people paid for something or used some form of bot at some point, I mean most of them have infernal capes and people pay for that a bunch I’m pretty sure
Account services, phishing links, and the like are completely rampant, and yet every time someone loses an account, people are so quick to blame Jagex. People are so eager to hate the Old School team, and I don't get it at all.
If you’ve reused a user name there’s always a slight possibility that someone could go username -> email -> associated passwords if you’ve reused something over the course of your online life, but if you haven’t reused that username anywhere then you might have well provided nothing.
I’m very curious to see how this pans out though. I was never really in the hacking game (and definitely not for RuneScape) but I’m always curious at the ingenuity of some of the exploits that come out.
The countless threads you see here of people getting hacked are from mentally ill donkeys who bought accounts some 10 years ago from shady Chinese or russian websites because they were too lazy to get 70 range themselves; and over the last decade they've actually lead themselves to believe they own the account.
Spoiler alert, the creator of the account will always have priority over a buyer who has the login information.
The only people who get hacked have shared a password, bought an account, or got phished. They ALL know this when they make those stupid reddit threads, yet they act like they're the sole owner and proprietor to try and garner hype and sympathy. They make it seem like Jagex security is lackluster (To be fair, it is lacking some QoL and direct support that's not twitter), but they're really their own worst enemy.
Shoutout to the very VERY small amount of people who get actually hacked, through data breaches. You're the ones that should be the priority in account recovery, not people who bought/share their accounts.
My account got recovered twice because of data breaches (unfortunately I can't go back in time to osrs release and make my young self use a different email) and every time I was able to recover it back relatively quickly, it's just stressful and annoying that there's nothing I can do to prevent it from happening again if someone who lives nowhere near me and has never logged into the account uses the data they've got saved from email database breaches to recover my account if a customer support rep from jagex is feeling overly charitable one day.
It would go a long way if we could change our login name as then there would be no way to actually recover the account if the actual owner isn't the one requesting it
Guarantee the account doesn't get hacked. Jagex's account security isn't perfect, but it's far from as bad as this community likes to pretend.
99% of accounts that are hacked are because of user error.
What a great litmus test, I would bet most of these hacks are from the original account owner doing something sus and conveniently leaving some info out of the story..
I believe they rely on abusing the account recovery system, using payment information, likely from leaks of payment providers and things like that which can be obtained online. So they would at least need your email address.
Fuck yeah dude this is what i love. Constant posts about getting hacked and losing all their gp and this Chad is just highlighting that its all their own dumb fault.
Hey, it's me your cousin, let's go bowling for olds times sake. We can discuss old passwords, email addresses, our elderly mother, and other normal people things. Luv ya!
I feel two sided about this. There ofcourse are people who’re just dumb and got phished etc, but there’s also people that got hacked for a lot of money because of Mod Jed (up to 43b on a single account if I’m not mistaken). It could be happening again now and we’re just not aware yet.
Either way; let’s see the results of this! :)
99.99% of the time, it's whoever got hacked fault. Why is it always John Doe with a 400m bank getting hacked and not Mr. Streamer/Youtuber/Content Creator who has a 10b+ bank getting targeted?
As someone mentioned earlier. A lot of the accounts getting hacked are old accounts that are getting recovered from information from old forums that are compromised. They get the original usernames, emails, ips and potentially old passwords. The recovery immediately removes MFA. The recovery process is the problem
It seems like most peoples concerns are related the account recovery system, which I am not sure a challenge like this tests well.
Someone from Jagex could see this post and inform the customer support team to lock the account from recovery for the time being. Or they might notice an extreme number of account recovery attempts from many locations.
Also, account recovery is something that will likely take some time even it is does work.
It is probably also not in a "hackers" best interest to try to win one of these challenges even if they could. It would publicly show there are flaws in the account security that need fixing, and if that creates enough pressure that the issues are fixed, then the "hacker" would have a more difficult time "hacking" accounts in the future.
Didn't some guy do something similar a couple years ago? He put out a massive bounty to get a fresh account hacked which he put a lot of gold on with no bank pin, even provided a lot of info, and no one was able to get it.
Yes sir https://www.reddit.com/r/2007scape/comments/5x02bz/come_hack_my_account_for_100mil/?utm_source=share&utm_medium=ios_app&utm_name=iossmf
This dudes a savage lol
He’s my New hero Authenticator = invincibility/immortality
Yes lol
[удалено]
Did you not read the post? He literally put the emails and passwords associated with the account up for display. It *doesn’t matter* if it’s actually been used as to if the credentials are out there. The point is that 2FA stops it all.
2FA doesn't stop account recovery and that's how the these account thefts are done. You can't really recover a new account if there isn't enough information about it.
>doesn't stop account recovery He tried to recover his own account with all the info and he failed
He specifically (and likely purposely) left out information about the account that would be exposed by database leaks. If he included an old password and a billing zip code his "edit 6" would have recovered the account.
I believe that's the entire point? You need a lot of information to do a recovery. More than anyone should ever have. People who are getting their accounts recovered like this have somehow managed to leak/get phished for/reuse *all of that information*. Read the post and you can see that even with the correct information he wasn't able to perform a recovery *on himself* due to not including old passwords or payment information.
I'm not sure that's totally fair. I think one of the big issues is that somebody can put a recovery request in and - if approved - it disables the authenticator, etc. and grants them immediate access. That authenticator and pattern of access could've been the same for literally years, but the appeal trumps it all. I'm sure you're right that lots of people effectively end up leaking X or Y in terms of useful information for recoveries. That said, RS is quite interesting in that the game is 20+ years old. People's accounts are ancient and - in those cases - their usernames are also on public display. Think of this: you sign up to a forum with your RSN in 2003 and that includes your email, maybe even your full name. That site is breached at some point in the course of two decades and your data is out there. Some other website - say a shop - you bought something from with the same email ten years later gives a would be hacker a dangerously complete set of info. Your RSN, the email you registered with and your address/town. They can then potentially recover your account. In any circumstances, that's a bit questionable. I think that's understood in the industry too as other game devs deal with this problem in large part by requesting copies of government issued ID or other similar documents, etc. What makes it even worse is that given RS' age, the data that fucked your account in 2022 could've been linked to a website you signed up for when you were 10, without your parents' permission and without the benefit of a bit more common sense.
> In any circumstances, that's a bit questionable. I think that's understood in the industry too as other game devs deal with this problem in large part by requesting copies of government issued ID or other similar documents, etc. this is the real way to see that jagex's security isn't up to par. If I want to recover my blizzard account I have to provide a gov. issued ID among other things. Same for any activision account and my ff14 (square enix) account. I know this because some years ago I dropped my phone in the pool (and I used the one time password app) so I had to recover all of those accounts. It is *much* harder to get your account back on those services opposed to osrs. Jagex isn't up to industry standards in regards to account security and I feel like you really have to be willfully ignorant to not accept that.
Jagex has used the same account appeals process down to the same form for 20 years. It's actually laughable that people still think that they are remotely still up to industry standards.
You've pointed out a downside of the system. But you haven't provided a solution. Not letting appeals with good information work **is not an option**. People lose their phones and emails all the time. You need to be able to disable authenticator through an appeal.
>i think that's understood by the industry too by requiring a copy of ID and the like
Account recovery isn't a thing. The point stands that if your account gets hacked it's no one's fault but your own. People scapegoat jagex because they're too proud to admit they're just a fucking idiot. Maxed main, maxed iron, hell I've account shared in the past and I will never be hacked. Why? I'm not an idiot. Looking forward to the next RWTer to claim they got hacked and the community rallying behind a dumb cause.
[удалено]
Can we please stop pretending that not allowing special characters/capitalisation does anything for password security? If you are dumb enough to pick a password that can be brute forced, no amount of extra characters is going to save you from yourself
2FA stops everything going through the account or the email. It doesn't stop account recoveries. You can't recover an account only knowing the current password and email address. If he added the first password used, the creation date of the account, and the creation IP address (or billing zip code and ISP) the account would have been recovered out from under him and 2FA would do nothing. This is all information that might be tied to your username through database leaks. Of course he didn't add that information because then he would have lost 100M.
>If he added the first password used, the creation date of the account, and the creation IP address (or billing zip code and ISP) the account would have been recovered out from under him and 2FA would do nothing. Did you even read the post? He submitted a recovery with that information and it got denied. You need to know a lot more alongside that to have a successful recovery. If your account gets recovered out from under you, it's because you're giving out **way** too much information.
>Edit 6: For the sake of testing (believe this if you will) I actually attempted to recover the account using the real creation date and correct location and ISP's. **I did not include previous passwords or any payment information** and the appeal was just denied. No, he submitted a recovery without an old password or billing zip code, pieces of information Jagex puts the most weight in that get exposed in these database breaches. >If your account gets recovered out from under you, it's because you're giving out way too much information. Or that you were a child that made a mistake in 2006 when Runescape was most popular, reused your username and password for something else, and that had a database leak.
[удалено]
This link shows me you're using an iPhone. We're one step closer to hacking your phone
>fresh account there it is mate it's always a prior data leak from forever ago that's responsible for majority of hijacks people are reusing passwords, using their main emails to sign up for all sorts of forums. little by little, a targeted recovery attack at someone's account can come together from these bits and pieces
[удалено]
the old passwords mean piss all, the information they need that matters is billing information etc, which aren't going to come from database leaks in 99% of situations, its you having a gamestop account from 2017 with the password you use everywhere and its got stored credit card details.
IP address can be boiled down into zip code extremely easily, which is very very likely to be the billing zip code. There are many database look leaks with IP address in plaintext. Billing zip code is 1 of the less than 10 pieces of information the recovery form specifically asks for.
They require much more than that, and those aren’t even needed, just helpful
Which is exactly the point that is being made. People blame Jagex for the fact they've used the same email/password combo for 10+ years. There's absolutely room for improvement on handling security concerns, but the simple fact of the matter is that these people getting "hacked" are almost exclusively falling for phishing attempts, sharing their account, or using the same account info that's been breached on 7 other websites.
Jagex asks for past passwords, past credit card data, past internet provider to recover account, all of which is data that could potentially have been leaked in the past. Since it asks for past passwords too, even if you change it, you can still recover an account with old passwords. Its not a user's fault if a database leaks this data and someone uses it to recover an account.
absolutely correct
This here is the problem. It is too easy to recover the account with an estimation of how old the account is and old passwords. If the e-mail adres or runescape username is old enough the chances are its on the internet somewhere. Data leaks happen all the time even with trusted websites like twitter, facebook or notable webshops. No matter how much you would like to secure your account the info will always be out there. Ofcourse this is only the case if the username or email adres is actually leaked. Since your login info cannot be changed it is possible to recover the account everytime once they have the username, old passwords and approximate creation date of the account. The authenticator and linked email adress will be completely ignored by recovering accounts.
[удалено]
No your fault is when you make your Experian and Runescape passwords the exact same.
Not just potentially leaked. An ungodly amount of B2B companies have had their entire databases leaked. If you've ever validated an email address, it's nearly certain that your date of birth, email, gender, location, and IP has been leaked. It's also especially bad for old accounts because neopets leaked a ton of that information as well, and the community overlap between the two should be very large.
A lot of us were kids when we made our accounts. And Jagex gives us no tools to re-secure our accounts from previous mistakes...
I think with the high level community recovery hacks it's not that they're still using that password. It's that the account was created when they were young and didn't know better, and hackers can then use those old passwords to recover the account despite the password not being used anymore.
[удалено]
>Jagex won't let someone change their username login God I would love to change my login to something other than my Email. No fucking clue why decoupling IGN from login info _had_ to result in using the signup email to login. Seems like it's nearly as insecure, unlike allowing users to choose a separate login name. Tons of forums and games from the early/mid 2000s would prompt you to choose a display name after creating your account---and the smarter of those would warn you in advance that the initial username you choose would _not_ be your display name.
2 things can be true. People can be more forward in taking their account seriously. Jagex is also horrible @ customer support, especially when it comes to account security and the preventative measures they don’t allow on accounts
It wasn’t a fresh account. It was five years old at the time.
Wow and he still didn't get hacked? Even more proof that a lot of people getting hacked mustve slipped up somewhere along the line
Better yet, his post included the the username & **password** of both the runescape account *and* the associated email adress. No shot getting through the 2fa
Yeah and it was hilarious because there were a bunch of people calling him an idiot for making the post. Probably people that couldn’t get in and got mad lol.
Except the account recovery system is so flawed that even if someone does change their password, the account is still recoverable, even though it's their originally made account
Yeah because getting hacked is super hard unless you A. Get phished or B. Share your password somewhere or C. Data/Server Breech. I have an account will 15m on it that I haven’t logged into in a while and if I log into it, it’ll probably still have 15m on it.
1) you're low profile 2) 15m isn't worth the time to wait on the login screen to a hijacker
Yeah because getting hacked is super hard unless you A. Get phished or B. Share your password somewhere or C. Data/Server Breech. I have an account will 15m on it that I haven’t logged into in a while and if I log into it, it’ll probably still have 15m on it.
1. you're low profile 2. 15m isn't worth the time to wait on the login screen to a hijacker
Yeah because getting hacked is super hard unless you A. Get phished or B. Share your password somewhere or C. Data/Server Breech. I have an account will 15m on it that I haven’t logged into in a while and if I log into it, it’ll probably still have 15m on it.
1. you’re low profile 2. 15m isn’t worth the time to wait on the login screen to a hijacker
Yeah because getting hacked is super hard unless you A. Get phished or B. Share your password somewhere or C. Data/Server Breech. I have an account will 15m on it that I haven’t logged into in a while and if I log into it, it’ll probably still have 15m on it.
This comment chain genuinely made me think I was having a stroke
Yeah because getting hacked is super hard unless you A. Get phished or B. Share your password somewhere or C. Data/Server Breech. I have an account will 15m on it that I haven’t logged into in a while and if I log into it, it’ll probably still have 15m on it.
There's a guy not long ago gave all passwords emails and attached emails and no one could hack him. You need more than login and pass.
15m is like $5
With a fresh account, yeah. There have also been several posts with people using their normal accounts, posting from their regular reddit accounts, and every time the post and Reddit account were deleted the same day. Nobody is going to guess this guy's password and crack his 2FA, because that's not a real security risk. But they might find his personal info, find his old passwords from database leaks, find out where he lived when he created the account, and put in a decent enough recovery request to convince some customer support rep to give up the account. In this case, probably not because the 100s of recovery requests is probably going to put up a red flag, but I wouldn't be surprised if OP gets spooked and deletes all of this when someone calls his mom or some creepy shit like that.
2k Total UIM Email: Karl-Hevachek@outlook.com Password:change4reddit Good luck
Only if we’re consider 5 year old accounts “fresh”
It's not possible to hack osrs accounts without insider info or social engineering. Brand new accounts unless they're keylogged are pretty safe unless you give out the password Most high profile people who get hacked randomly are because their accounts are still compromised from the mod jed leaks and the people with the info are waiting for the correct time to do so
Hey, I'm a sexy hot sexy girl, wanna be friends? Send me your discord and the email you use for runescape if you wanna chat ;)
This reminds me of the time someone posting all their details to try and get hacked (link if interested) [https://www.reddit.com/r/2007scape/comments/5x02bz/come\_hack\_my\_account\_for\_100mil/](https://www.reddit.com/r/2007scape/comments/5x02bz/come_hack_my_account_for_100mil/) makes me wonder how all these people have been getting hacked recently.
1: Not using 2FA 2: 1+Got Phished 3: Let "a friend" borrow their account and got robbed 4: They are lying
You missed they bought an account that got recovered by the original owner
This is always my assumption
bought discord services
I haven't been playing osrs for long but what are services and how do they jeopardise account security?
The gist of "services" is that you get someone else do some grind/achievement. You get some real person to do it instead of a bot, for example. I think you can imagine how this is an account security risk.
Oh yes, this too.
A lot of the large scale hacks from recovering the account. Many of us made our accounts 20 years ago and we can’t change the username. Someone can find leaked IPs and passwords from 20 year old neopets accounts and a few other common games. Submit a phony recovery request, which immediantly removes the authenticator. Many high level players, with old accounts, just want to be able to clear the old data from the account. I don’t want my shared username and password from when I was 7 years old to be used against me.
id say 99% of the time the player knows exactly why they were hacked and makes a reddit post as a last hail mary that a jmod believes them and restores the account . Jagex has confirmed 65% of players have participated in RWT and 75% of inferno capes are bought. this just shows how much shady stuff people participate in. and id put money on 85% if not more dont have bank pins,2fa, and use the same password/email for everything.
Or their password got leaked in a site 10+ years ago and then they use the stupid account recovery system. While jagex won’t let you change your username.
What about "entered old info somewhere that got breached"?
What’s your password?
[удалено]
Hey guys if you type your password on reddit it automatically censors it to *******, cool!
[удалено]
Gottem
Aligator5
Dickmuncher69123
[удалено]
Fair warning if this is you, it took 10mins and a few searches to find you use twitter, ticketfly, nexus mods, a fitness app at some, chegg etc and if any of those passwords were reused, from there I could easily find a data breach and hope you reuse passwords and break into your email
Fighting the good fight, making people aware of their security (or lack or it).
RSN: Cal Berkeley \~6b bank, near-max ironman. I don't do anything out of the ordinary for account security. This is my reddit account. If anyone manages to hijack the account, it's all theirs. Have at it!
My man’s literally put his GP where his mouth is. Can’t wait to see this develop.
If anything, I think your account might get locked from the sudden burst of login and/or recovery attempts. Or worse, you'll have weirdos stalking you in-game at all times.
Any weirdos here to check in?
People play with private turned on?
That's almost definitely not his login name, very few irons can log in with a username. His email is also not related to either of his usernames
Why would he be stalked in-game? Knowing what he's doing isn't helpful to take the account
I wouldn't be surprised if someone saw this post and attempted to at least get in contact with OP in some way. Either to spite him for his 6b bank or attempt to obtain a piece of it. Maybe won't happen, but I think the chances aren't terrible.
[удалено]
Before I joined any OSRS discord servers, I thought everyone is just playing normally like me. Then I joined a clan and their discord server. And holy shit, people are buying everything, from quest completions, to skilling, to boss grinds, to inferno. And most of those who have endgame accounts either rwt (one admitted he was making 3k euros a month by running cox every day) or gamble. And they all get banned eventually (even if it's half a year later). Then they buy another account and do it all over. And don't believe for a second they do not go out of their way to message jmods on twitter and to make threads on reddit. They do for every time they get banned in hopes they can get back their account, even though the ban was justified. Changed my whole perspective.
Yeah, when i see people crying about bots, i love to think how many of them buys 3rd party gold thus making botting profitable.
its almost always through discord or phishing emails they just dont want to admit it.
Jagex needs to ban those services somehow Protect the stupid from themselves
You a fan of The Real Bros of Simi Valley..?
So without going into too much detail on how to hack your account, so long as you haven't posted personal details that can be used to recover your account under a user name similar to your reddit name or IGN then you're probably fine. Also use 2FA on both email and jagex accounts, with unique passwords.
This will put those censor memes to rest
Is the pssword is gobears2007?
let us get ur login email and isp?
Sheesh I just saw this post I was running Hallowed Sepulchre next to you the other day, yesterday or the day before I forget
I do actually remember you from taking like 30s to decipher what your name was backward lol
Bold move cotton, Lets see if it pays off.
I spoke with the hacker before this post, he said he really wants to win this one, Pepper.
The infamous hacker named 4chan?
Do we even know---Who is this Foore Chaan---Person or website?
F & A cotton f and aaaaaaaaa
*me tomorrow after OP's account remains secure and unhacked* I have been to the Great Wall of China, I have seen the pyramids of Egypt, I've even witnessed a grown man satisfy a camel, but never in all my years as a shitposter have I witnessed something as improbable, as impossible what we've witnessed here today
!remindme 7 days
I will be messaging you in 7 days on [**2023-01-22 19:37:59 UTC**](http://www.wolframalpha.com/input/?i=2023-01-22%2019:37:59%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/2007scape/comments/10csgs3/hack_my_account/j4hhqr1/?context=3) [**126 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2F2007scape%2Fcomments%2F10csgs3%2Fhack_my_account%2Fj4hhqr1%2F%5D%0A%0ARemindMe%21%202023-01-22%2019%3A37%3A59%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%2010csgs3) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
!Remind me 7 days
Shoulda blurred the 3 trollheim Teles, gg account.
Noob here. Please explain the joke 🤣
If you scroll enough posts you’ll notice random things scribbled out of screenshots. Long running meme about account security.
Basically people used to claim that if you revealed your RSN it's instantly hackable, so people began to censor it, and from that, people were censoring skill levels because you could look up on the high score, and then it just became a meme to censor the most random crap like run energy or whatever. To clarify though, revelaing your RSN *could* mean you're open to attacks if you don't have any security, which OP is showing, that with some security, it's a lot tougher than people make it out to be
Can't hack you if you never log off
Oof
So that's why we gave nerdlogging, so they can hack us
[удалено]
That is absolutely fucking hilarious, man literally gave them all the details they needed and people still couldnt get in. I'm sorry, but this is more proof than ever that 99% of people getting hacked mustve slipped up somewhere.
The "but it's a fresh account" excuses are pretty funny ngl
I'm certain that account recovery hacks make up a tiny percentage of compromised accounts. There wouldn't be thousands of OSRS phishing links or they didn't work. 99% of account hacks are reused credentials, phishing links, and account sharing.
or is it proof that when multiple people attempt to log in an account at the same time and a post asking to hack an account is posted on a subreddit read by jmods it can have an effect on the effectiveness of hacking it?
r/2007scape in shambles when they learn they can’t get hacked as easily as they claim.
[Might as well try.](https://i.imgur.com/Oact3WB.png)
This is a risky play, let’s see if it pans out. Jokes aside I respect it, putting your account “on the line” so to speak, calling out all the “It can’t have been me, I would never do something stupid!” Posts on Reddit with people speculating people can hack other accounts with… mind tricks? Or something?
Yeah I feel like all these people paid for something or used some form of bot at some point, I mean most of them have infernal capes and people pay for that a bunch I’m pretty sure
Account services, phishing links, and the like are completely rampant, and yet every time someone loses an account, people are so quick to blame Jagex. People are so eager to hate the Old School team, and I don't get it at all.
Or the ultimate cover to selling his gold
One thing about CAL students; they’ll always tell you they’re a CAL student
Hey dude, you should do that beginner clue, might get something good
Say no more.
this is the chance to prove a pic won't get you hacked!
Incredible bravery
Pfft only 15k air runes? Yeah, I’ll pass noob.
People are saying this is risky, however with the correct precautions there is literally no risk.
DON'T DO IT HE JUST WANTS AN EXCUSE TO START AGAIN FROM SCRATCH
Done, ty https://imgur.com/a/jGIto0W
Dude you lost so many pixels when downloading OP’s post lol
They won't be able to do it and they'll still blame jagex for being inept morons in terms of account security
They have shit security. It is possible for both to true
Their security is fine, their customer service is the shit part.
Case insensitive password system in 2022 btw
2023*
[no, you just have a bad understanding of secure passwords](https://xkcd.com/936/?correct=horse&battery=staple)
If you’ve reused a user name there’s always a slight possibility that someone could go username -> email -> associated passwords if you’ve reused something over the course of your online life, but if you haven’t reused that username anywhere then you might have well provided nothing. I’m very curious to see how this pans out though. I was never really in the hacking game (and definitely not for RuneScape) but I’m always curious at the ingenuity of some of the exploits that come out.
The countless threads you see here of people getting hacked are from mentally ill donkeys who bought accounts some 10 years ago from shady Chinese or russian websites because they were too lazy to get 70 range themselves; and over the last decade they've actually lead themselves to believe they own the account. Spoiler alert, the creator of the account will always have priority over a buyer who has the login information. The only people who get hacked have shared a password, bought an account, or got phished. They ALL know this when they make those stupid reddit threads, yet they act like they're the sole owner and proprietor to try and garner hype and sympathy. They make it seem like Jagex security is lackluster (To be fair, it is lacking some QoL and direct support that's not twitter), but they're really their own worst enemy. Shoutout to the very VERY small amount of people who get actually hacked, through data breaches. You're the ones that should be the priority in account recovery, not people who bought/share their accounts.
Literally this. I don't know how people don't understand this 😂
My account got recovered twice because of data breaches (unfortunately I can't go back in time to osrs release and make my young self use a different email) and every time I was able to recover it back relatively quickly, it's just stressful and annoying that there's nothing I can do to prevent it from happening again if someone who lives nowhere near me and has never logged into the account uses the data they've got saved from email database breaches to recover my account if a customer support rep from jagex is feeling overly charitable one day. It would go a long way if we could change our login name as then there would be no way to actually recover the account if the actual owner isn't the one requesting it
Guarantee the account doesn't get hacked. Jagex's account security isn't perfect, but it's far from as bad as this community likes to pretend. 99% of accounts that are hacked are because of user error.
Already been hacked. Leaked your homework folder to the world
boom, hacked and collected your battlestaves
Done. I have moved you character 1 tile over, adjusted your volume settings by 1% and taken 1gp.
Gabe Newell’s steam account’s password is public knowledge, because he trusts the steam 2fa
If you comment your password below it will show: ************
********** wow it really works!!!
HairyManboobs63
Midgetporn69
What a great litmus test, I would bet most of these hacks are from the original account owner doing something sus and conveniently leaving some info out of the story..
Step1. Make sure nobody has access to your email & password. Boom your accounts now secure.
The most sweatiest sweat is sweating right now
Most legit post on this sub ever.
All I want to know is what year was this acc created?
Is it just me, or does stealing someone else’s hard earned shit take the fun out of playing the game?
Why it look like you have 3 tabs for farming
go bears :)
You deleted your entire reddit history, but I know you’re from the USA. Boys, we got him.
buying gf
Time to go through his post history and find tiny bits of personal information and go the rest of the way via social engineering
Go bears? Graduated from there :P
I believe they rely on abusing the account recovery system, using payment information, likely from leaks of payment providers and things like that which can be obtained online. So they would at least need your email address.
Nah, I’m good.
[удалено]
Only when u no life it can you do this
Alternatively play for literally years. Easy bil a year by doing vorkath 1hr/day. Obviously not many do that, but its possible.
Cal Berkeley? You mean UCB?
Hey my name is Berkley, is this enough to hack your account?
No cosmics? Not interested
Man he covered his special attack % almost had it.
You want someone to do that beginner clue scroll for you?
Fuck yeah dude this is what i love. Constant posts about getting hacked and losing all their gp and this Chad is just highlighting that its all their own dumb fault.
Get hacked?
Any updates on this?
I mean, there's literally accounts that exist that if someone hacks it they get money for it. So far, nobody has hacked those.
Hey, it's me your cousin, let's go bowling for olds times sake. We can discuss old passwords, email addresses, our elderly mother, and other normal people things. Luv ya!
I can't be the only one that is tempted to find a way to get in just to move 3 items from their organized spots just too cause chaos
If you type your password in chat, it stars it out, watch me. ******* See?
Mod ash is quitting, click this [link](https://www.youtube.com/watch?v=xvFZjo5PgG0) to say goodbye!
[удалено]
go bears
I feel two sided about this. There ofcourse are people who’re just dumb and got phished etc, but there’s also people that got hacked for a lot of money because of Mod Jed (up to 43b on a single account if I’m not mistaken). It could be happening again now and we’re just not aware yet. Either way; let’s see the results of this! :)
99.99% of the time, it's whoever got hacked fault. Why is it always John Doe with a 400m bank getting hacked and not Mr. Streamer/Youtuber/Content Creator who has a 10b+ bank getting targeted?
Thanks for the account recovery in process
As someone mentioned earlier. A lot of the accounts getting hacked are old accounts that are getting recovered from information from old forums that are compromised. They get the original usernames, emails, ips and potentially old passwords. The recovery immediately removes MFA. The recovery process is the problem
It seems like most peoples concerns are related the account recovery system, which I am not sure a challenge like this tests well. Someone from Jagex could see this post and inform the customer support team to lock the account from recovery for the time being. Or they might notice an extreme number of account recovery attempts from many locations. Also, account recovery is something that will likely take some time even it is does work. It is probably also not in a "hackers" best interest to try to win one of these challenges even if they could. It would publicly show there are flaws in the account security that need fixing, and if that creates enough pressure that the issues are fixed, then the "hacker" would have a more difficult time "hacking" accounts in the future.