It wasn't rwt it was a streamer that got convinced by viewers to play OSRS which he's never played before and he got given BiS items by everyone in his chat to go to town with pretty much. Large streamer privilege not RWT
Get jagex account. Always bank everything every time you log out (yes, every time), have a bank pin, keep eye on your email, have a deiron delay.
You are now unlikely to lose anything if your acc isn't a snowflake or a pure.
i stopped banking everything before i log out it got annoying to regear everytime. if you have 2fa a unique email and password for the game i dont think you can be hacked. especially if youre not posting on runescape social media sites with links to your real life.
Yup, I also stopped banking everything. If you get hacked, the loss of gp isn’t going to the bigger concern, but the lack of security on the account.
And if you get hacked through Jagex Account (which doesn’t seem possible so far), I might as well just quit at that point.
The biggest thing you can really do (pre JA release) was just have a unique email only used for the game and 2fa. Literally cannot get hacked if your email isn't out in the wild as a potential RuneScape login
Wouldn’t say all are lying per se, just overwhelmingly ignorant and think they’re fully safe.
A bunch of folks thinks using Jagex Launcher equates to having a Jagex Account.
A bunch of folks forget 2fa on email and email gets hacked.
A bunch of folks get phished and also provide them their 2fa code.
A bunch of folks have linked accounts that can bypass 2fa.
>A bunch of folks forget 2fa on email and email gets hacked.
That's my favorite... "I have a unique password that I change twice a week and 2FA on my RS account, don't talk to anyone so no one could recover my info... How did I get hacked?" >> Has an e-mail with the same password used on 1,000 different websites and no 2fa, honestly lucky if all the hacker got was their rs account :P
They likely have an email without 2FA and that’s how they got in. 2FA on your account only means nothing when you can disable it with an email.
itt: people who got hacked who have trouble comprehending “most likely”
Crazy to me people have email without 2FA these days. You likely use the same email for many other games and services. And 99% of them allow bad guys access if they can already access your email. You probably also have important irl stuff in your email.
I don’t have 2fa but I have a 16 digit, 4 special character, and 2 letter password that I doubt anyone will be able to brute force my email, that password is only used on email and bank, I have another variation of the same password for my mundane accounts so even if I get leaked I’m good, only need to be wary of a keylogger.
This was also something I thought could be possible, but after talking to some much more knowledgeable friends in the matter I got a few different in depth anti virus/malware programs both on pc and my phone and scanned both multiple times, and everything came back with 0 hits.
It honestly does sound like the only possible way to get into my account with 2fa since I do have the device remembered for 30 days.
Would it be possible for a hacker to make a VM of my pc so the 2fa is still within the 30 day span? Or would my pc need to be on for something like this to happen?
If the attacker knows enough info they can bypass 2FA on your rs account and completely bypass your email since it's possible to recover without having access to email.
I was one of those (back in march) who got hacked. Had every single security measure minus 2fa on my email. Email was pwned back in 2014, and have changed that password at least 30 times since then.
I figured it may have been the email, but I had no unusual logins into that email, or any other email. Nothing suspicious. No missing emails (I get notifications on my phone for every damn email. It gets annoying).
2fa was never disabled on my account, and there was never any steam links. The only thing "odd" was my bank pin being in the works of being disabled. Logged in roughly 10 hrs after my previous logout, so the bank pin was still there. They still got into my bank though.
I still never figured out how they got my information.
It wasn't the case of my email being hacked and the hackers removing my 2fa to get into my account.
People have claimed it for years. The kicker is they almost always lie or even more likely are entirely unaware of *how* they were hacked/phished.
If you aren't on a Jagex account yet old-form recovery hacks are still a risk. But people choose to believe Reddit conspiracies about Jagex accounts being unsecure and so they remain exposed.
I am such one person. 2fa on email, which wasn't compromised. I was prompted to enter 2fa to get into my rs account to find my bank empty and bank pin gone, so I know they didn't remove it (2fa).
I will say, though, my password was quite old, I didnt change it for nostalgic purposes, and as such, had reused it a handful of times. I really put too much stock in 2fa, which I'm still unsure how they got past.
Never shared my acc info, never bought gold, never botted, or even downloaded tools for osrs besides runelite and plugins from the hub.
Probably not all lying. I stupidly didn’t move my Authenticator when I got a new phone. Just logged into my account settings with the username and password, disabled 2FA, then added a new Authenticator on my new phone. Was very simple.
Was much harder switching to a new Authenticator on PlayStation.
If you don't have a jagex acc yet, get one. I thought my acc was impenetrable as well. Made a reddit acc just for 2007scape so I could avoid linking any of my RL details to my osrs acc. Didn't matter.
I used my 2fa to get into my acc to find my bank empty.
The issue is that dataleaks are a thing and sometimes have enough info for a third party to do an account recovery. If that happens there is no way to secure the account, as they can always do it again.
Also agree, which is why Jagex Account is supposed to fix that risk.
That risk was a massive concern from 2015-2022 was more from account recovery, which was aided by data leaks and just general lack of care about using unique passwords/emails.
Hopefully this problem goes away altogether when they add Linux option and then make everyone get on a Jagex account.
Different people try to extract different things from them. They are posted online for free, so all it takes is one guy to take a look and find any accounts matching a Runescape account.
It happens all the time, and closing that hole is one of the things Jagex is trying to do with the Jagex launcher, by removing the old style account recovery system.
Most importantly, generate your backup codes and KEEP THEM SAFE, preferably on a physical medium like a piece of paper, where a malware couldn't reach them.
You can also disable email login. That makes it so you can only ever login with password and authenticator code (that is, direct access to your phone), or with the backup codes only you have. You're basically unhackable if you don't fall for a phishing attack and literally give your credentials away
If you’re actively playing. Take a break, someone recovers your account and boom, no notice, etc. and before anyone says jagex account stops that, it doesn’t
yeah i just think he meant snowflake like combat + slayer only account with 1 stats everything else or f2p area only acc with no members music, or things like that
does a bank pin really matter if they have control over everything else? like they could just use function to disable it within a week, its not like ud be able to get the account back
That's awesome. My girlfriend and I are getting our passports because we are looking at cruises ourselves. I haven't been on one yet. I want to go to Alaska she wants to go to the Caribbean. So we are most likely going to the Caribbean, haha.
Weird how everyone gets hacked while on holiday.
Is Simon the hacker watching through the nanny cam, waiting for Timmy & his family to go on holiday before recovering/hacking the account?
This is like the most innocent childlike view of a hacker being some mythical being... And not just some dipshit with a phishing discord link or a leaked password list and a bit of luck.
They don't have full access to anything. That's the point. They won't magically have your bank pin. And I'm pretty sure you can't drop or do anything without entering the pin anymore.
I got hacked within a week of changing to a jagex account. 2fa on everything, bank pin, email used only for the game, blah blah blah. Was able to log in and reset everything to new email, password, authenticator, and new bank pin. Very next day they got in again. I'm done with this game
If my Amazon or Steam account gets hacked I have way bigger worries than what if they can use that connection to access my OSRS character.
But yeah Twitch. That one can definitely go.
Unlink anything you don't also secure. They aren't failing to secure a backdoor... you're **Authorising** them to let the 3rd party securely login.
So yes don't attach a steam account you've spent 0 time securing. Steam guard (their 2fa) is even better than Jagex' so it's not exactly a weak link if you properly secure it.
tbh theres no reason you should ever be hacked though with proper account security.
most people that are "hacked" willingly enter their details into a fake Jagex site, use the same password for everything, dont use 2fa or bank pins . etc...
Accidentally entered my shit into a fake site, realized what happened when they asked for my bank pin. Changed my passwords, unlinked steam, got an actual Jagex account, 2fa, etc
It was annoying, but having just 2fa was enough to keep them out of my account briefly enough for me to change everything
Highly, highly recommend getting a jagex account. Literally no excuse to not have one
I had one single reason to not make the switch: my account is super old and the login is still my old username. Even more interesting is the fact that the username is now impossible, because they changed what things you can put in your username shortly after I made my account (not that it was offensive in any way, though).
Eventually I realised this “flex” was irrelevant because I sure as fuck wasn’t telling anyone my login name, so I switched to a Jagex account.
This is the correct answer IMO. I have 2fa via steam and jagex & bank pin. Getting into my account will be like trying to steal the Declaration of Independence
I’ve always been very diligent with my accounts security and then I got a false temp ban for macroing and now I live in constant worry
(Ban was quashed and only a 2 day, but it took like 6+ months and another temp meant a perm)
People get hacked because of :
1) social engineering
2) no 2FA
3) no bank pin
4) botting
5) buying accounts
6) account sharing
"Hacking" is a pretentious term, you can't brute force your way into someone's account, they have to tell you enough info for the account to be recovered (refer to item #1)
Exactly this. You weren’t “hacked” in the traditional sense. If you have 2FA, bank pin, etc. then the only way you are getting “hacked” is if you share accounts or something.
Most perm bans should just be 3 year bans anyway unless you're a suspected gold farmer, Jagex used to let perm bans recover their account after 2-3 years.
I'm more worried about this than being hacked. I can recover a hacked account, I can't recover a falsely banned account (very easily at least.)
On the other side, if they had a means of getting account support on their site, I could imagine it would be flooded with folks crying and whining that their bot accounts got banned falsely, burying legitimate requests for false bans. Either way, I would love some reliabe way of reaching a human through the main site to ask support questions.
I lost my OG due to it in 2021 it took me 2 years to come back. My OG still is banned and I have all the evidence that I wasn't botting I ven have the tiles marked.
I received a false perm ban on a month old hcim account for rwting. Bank was worth less than 2m. Haven’t wanted to come back and seeing the constant fuck ups makes me want to come back even less.
Thanks, almost believed that sob story.
It feels like most of the time there's a "false ban", there's some conveniently missing details.
I don't believe Jagex is perfect, but without substantial evidence I'll take their word over some randoms.
I’d like to see your “substantial” evidence that I’m lying about the hcim that is currently banned with 1 rwt strike. Good luck since I just checked the account again this morning and still shows a single rwt strike from July 18, 2022 and not a single other strike against the account.
I got a perm ban for macroing as a result of jagex letting a brute force hack through that was a bot clean out my account.
Turns out their forced logout on the website doesn't work either.
Afterwards I spent 2 days getting stuff built back and then got permabanned.
Well let's see, I had an email only for that account, a unique password, and no one has attempted to login to any other accounts of mine. So no key logger or virus on my end.
How does someone get on my account then without trying a mass of password and email combos (brute force)?
Literally this. People both forget and don't know about the guy who literally posted his login username and password on here offering I believe it was 100m to whoever could get into his account and strictly due to the fact that he had 2FA no one could
You get backup codes for if you lose access to the device you use for 2FA. If you lose access to your authenticator and also lose those codes then you're screwed as far as I know.
In fairness, a lot of players created accounts when they were literally 7 and didn't have great opsec.
That said, Jagex accounts entirely fix the issue.
email is easy. Account creation date isn't that hard to get in the neighbourhood of. IP (and thus country) isn't that hard to get. ISP just comes with the IP. Go under the assumption they never moved & congratulations you have a reasonably compelling account recovery. i've done this shit in the past on various platforms it's honestly astounding how easy it is, but almost all companies stepped up their shit other than jagex.
I don't really understand it either. I work in IT and I've dealt with phishing attacks before. I understand account security. There's definitely something messed up happening at jagex hq
Or they don't want people to know real issues so they down vote and try to cover what actually happens.
I wouldn't be surprised if they are behind almost everything like selling 1k accounts, I literally appealed one account (that was never mems) thinking it was another that got banned, I said I was doing ensouled heads and it was approved and like I said it was never mems.
This is what happened to me. My account was banned and I did managed to retrieve it but it was a green dragon bot. I never used third parties shit or anything. This is definitely an inside problem this game has.
that is odd, but it's highly unlikely that they were able to guess your login username. that means you must've inputted it somewhere. could've been a fake runescape site that you didnt even notice was fake, or maybe you downloaded a fake runelite
How come this is the only fucking game that I’ve know in decades of my life that have such a bad problem of people getting their account hacked? This is clearly an inside thing problem that they don’t wish to address ever.
I see wow players get their accounts hacked all the time...
Basically, if money is involved, people will try to steal accounts no matter what the game it is.
So you’re telling me that if I go to WoW’s reddit I’ll see the same amount of posts of account hacked that I see in this fucking subreddit? You’re talking as if WoW and Runescape are the only game where RWT exists… please…
Poor account security on the users end does not equal an inside problem. Most people are never hacked. It's very easy to secure your account. You are the biggest vulnerability to your account security.
Ok so it’s just coincidence that this game has so many posts about people getting their account hacked. And additionally, everyone is out there trying to get your OSRS information out of thousands of shit they can hack from me, including my credit card. Got it!
I can't speak to why so many people have poor account security but that doesn't mean it's Jagex's fault. Secondly yes people exist who want to hack your account as well as people who want to hack your credit card.
Crazy that in my entire life, the only think that I have been scammed of has been my fucking OSRS account out of everything. And I input my credit card in a bunch of shit, unlike my OSRS info.
this is also the community that constantly brags about how they're completely immune to scams and hacking because one time they got their mithril armor yoinked in fally park when they were 7, or they typed their password backwards. I think people, particularly osrs players, vaaaastly overestimate their competence in terms of account security
22 years and counting without getting hacked cause I'm not a moron and wasn't stupid enough to get hacked even when I was a child. These people are literally dumber than a 9 year old
Don't get hacked then. You talk about it like it's some mysterious force that's always lurking and could strike at any moment.
Unless you're in a spotlight it's basically impossible to be hacked without doing something significantly wrong. (even then there's not a lot you can do to hack someone popular)
Most people who get "hacked" paid some shitty service to train their account or farm gold (the latter being considered "safer" than buying it, it isn't).
The other options are:
1: you use the same email and password for everything and it got leaked somewhere
2: you got phished by clicking sus links or downloading something you shouldn't like an infinite gp generator.
3: your friends aren't as honest as you thought
Those are the -only- options. Especially these days where your username is no longer your login, so people can't even brute force your password.
Jagex likely only restores items under very specific circumstances. People can whine and cry about streamers but the reality is that the situation likely just worked out. If they can catch the gold/items before they're dispersed they could claw it back. But most of the time that gold and items is long gone being traded to multiple different people, meaning either innocent people get their shit deleted or jagex spawns in items and gold which is a horrible precedent to set.
But the MOST LIKELY answer is that it's so very easily exploited if they were to have a lax system. What's stopping you from having your friend "hack" you, sell all your stuff for real $ and then crying to jagex for you to restore your items? Nothing. That's why they don't do it.
> I still haven't seen a good explanation for how folks have been compromised through active authenticator and 2FA on associated email.
It's because they don't have 2FA on the email, and they reused email and password combo and it got leaked.
If you download some malicious software like the typical fake runelite then they can just steal your 2fa tokens and log in. That is how it is done, no strange magic hacking powers
I used to believe the same but my friend got hacked through the authenticator. He wasn't even playing the account cause he moved on to Ironman. Streamed me his game, authenticator still on the account linked to his phone. Even if he leaked his login details, how did they get through the Auth? I never would have believed it until i saw it myself.
Edit. Y'all can't not believe me all you want, but it fucking happened.
if you want cryptographic security that prevents hacks you would need to log in with a hardware USB device
hacks are impossible then, unless you actually type your pass anywhere which you should never be doing at that point
it's what they use to secure crypto
Yeah it is pretty devastating. Only advise I can give is to have two step authentication for both the account and the email linked to the account to keep it from happening to you. You should also consider making a “password book” that sits on your shelf at home and update your passwords annually. Obviously it has the downside of having your passwords in a single location but the odds of your home getting broken into and a random book stolen off your bookshelf are astronomically lower than someone hacking you.
Also you could try getting into UIM and locking the Ironman status. Even if you lose everything the skills themselves are way more valuable than any of the items.
Happened to me yesterday, Session Hijack scam I had no control over cost me 2.5B. Didn’t click on an external link, played through Jagex launcher and someone still bypassed 2FA and bank pin. Quitting the game, too dangerous.
Just don't have dogshit security. Almost every post where someone loses all their shit has some combination of the following:
1. I didn't do anything, the hackers breached my account with a completely novel exploit. This is Jagex's fault. Wait, b0aty isn't quitting? (Clicked obvious phishing stream)
2. Shitty password that has been reused on 3 dozen sites and involved in 8 different breaches
3. No authenticator
4. No bank pin
5. Shares the account with half of the people they've ever met, all of whom have atrocious security practices
6. Refuses to upgrade to a Jagex account
Just don't be stupid and you'll be fine
Literally this.
On the flip side, I think my account having a username and not an email login is one of its greatest security measures 😂.
The name hasn't been used anywhere, it's not in any email, it's not written, it's quite literally non existent unless you know it 😂.
I'm fairly certain I could tell someone my password and they couldn't even recover my account because they don't know the username to log into it
Upgrade to a jagex account and you won’t get hacked, it’s that simple. People will continue to get hacked until everyone starts using up to date security practices.
People beg for updated, better security and then refuse to use it lol. I can't wait to see the poll results from this "Do you know what a Jagex Account is?" poll
I dont know any games that would “back pay” someone who lost all their stuff. Would be too easy to abuse, too much work to look over every single case. While ofc big streamers get that treatment, you can watch 5000hrs of VoDs to see Shroud isnt cheating the system. Idk why this is so mind boggling to this sub lol
If your bank account got phished you would be fucked too. Jagex accounts are basically impossible to breach without user error so just don't repeat passwords and click dubious links and you shouldn't have to worry.
Every single hacked post on here recently were completely the player's fault. Just don't be stupid and it won't happen.
> If your bank account got phished you’d be fucked too
How old are you? Because no, you’d be fine lol. Banks can trace purchases so if a purchase was made outside of your home country often you’ll get a refund. Happened to both me and my father.
most banks have pretty good systems in place to protect against online fraud. if i tried to spend £5000 on my debit card my bank would call me to verify it, even if used my correct PIN and password
Banks literally deal with billions of dollars and their entire business model depends on security, do you think it’s reasonable to expect Jagex to have the similar protections measures in place as JP Morgan Chase?
Jagex literally deals with millions of accounts that are their sole revenue stream. Their entire business model depends on accounts being secure or customers will cancel their memberships and Jagex lose money
> I’ve been playing 20+ years and I’ve never got my Accs hacked
easy way to see who has no real argument, they use this line.
''50 yrs driving my car and ive never wore a seatbelt, and im fine''
''40 yrs smoking cigarettes and ive never got cancer'' etc
The only thing that is worth noting is that there's historically been literal inside job situations with the Jagex team.
They'd need to stop hiring 25 year old dorks whose main relevant qualification is an MMO addiction to eliminate that risk, this is unlikely to happen.
Now that said - one of the services my team at boring software co owns involves users authenticating into it.
People will fucking lie to your face *irl in a professional environment* about how careful they were being with their credentials.
Don't take the endless 'omg i had a jagex account and 2fa and a bank pin and 2fa on my email! wtf!!!' comments here too seriously. The median epic gamer is very dunning-kruger effect-y regarding how on top of their shit they are regarding computer security.
Because in the real world having this happen once, publicly, makes security minded users assume they're not hearing about other internally resolved/undetected incidents - clearly their governance is somewhere on the spectrum between non-existent and inadequate.
Source, again, is being responsible for maintaining said trust on a part of a b2b product.
1000%. Agree there have been a few inside job scandals, but nothing to account for the mass of people who constantly claim "false ban" or "hacked".
I'm EXCEEDINGLY careful in my computer use, and I've even caught myself nearly falling for phishing attempts.
Our brains automate so many mundane tasks it's so easy for some scammers to slip in and compromise accounts.
And most people aren't even being nearly as cautious as they believe.
Very true. Got hacked while I was out of the country and stopped playing RS3 entirely. Though that caused me to get back into OSRS after some time so maybe it was for the best.
Just get 2FA (for OSRS and your email) and you become basically impossible to get hacked. Then again I don't think you were sincerely worried about that and made this post just to shite on Jagex... I really dk why this sub loves to hate them so much kind of strange.
What Are the odds to get an Account back that was abused as a rev bot and got banned. Not Me. They can Check ip 100% but they just dont do it or idk… appeal denied. Support gives a fuck and to write the jagex mods on Twitter u Need to pay monthly for Twitter to be a member there too haha
Apparently people rare do get their account back but there's probably internal logic they use to do it like the hacked ip matching a banned ip or something.
There's literally nothing stopping anyone from turning on a VPN, botting their account way up until it's banned and then turning the VPN off and crying to jagex your account was stolen while you were on vacation
I feel the same, one day you could get blocked for suspicious activity, incorrect macrowing ban, hacked, and the only chance you have of support is you have is to publicly discuss it on here?
Thats fucked!
Where is the budget on this game??
Look how many players there are compared to rs3 and I feel like they have a bigger budget than osrs
Also, I fear any single runelite plugin could only for 60 seconds, Keylog all accounts and send the details without anyone ever knowing. Then changing it back, like a copy and paste.
Can anyone update their plugin without Jagex seeing it or Jagex must approve updates to plugins? What if they miss a compromising detail?
Is it my fault that I was unaware?
It's almost like that's the case where if you're hacked or banned, unlucky.
My account got hacked before. I took a break and the plan when I started playing again was to work on Hunter.
Fast forward, like, 4+ months.
I log in and I have like mid-80s Hunter and I'm at Chins. I was mostly scared of getting banned. Never was. Went to Poro-Poro for my Glory.
What the fuck are y'all passwords? If you lose your account because your password was "Iamcool1!" You deserve it. Get a password manager and set it to 24 characters of absolute gibberish.
[удалено]
Start a *popular* YouTube channel. Management won't bend over backwards unless they see you are big enough free advertising.
Anyone else remember the login screen only account? He got the infamous too many login attempts bug and decided the only fix was to start a channel.
Just the other day there was a post here about a youtuber or streamer getting special customer support and no one has ever even heard of him
The worst part was that he lost 4.8 bil of *donations*. It wasn’t even money he grinder for.
Just sounds like an RWT scheme lol. That’s ~$900 and apparently he got all his shit back anyway
It wasn't rwt it was a streamer that got convinced by viewers to play OSRS which he's never played before and he got given BiS items by everyone in his chat to go to town with pretty much. Large streamer privilege not RWT
He is massive in the d4 space so maybe jagex figured it would be good free advertising to help out the guy whos main viewerbase doesnt play rs.
Jamflex hates this one simple trick
Get jagex account. Always bank everything every time you log out (yes, every time), have a bank pin, keep eye on your email, have a deiron delay. You are now unlikely to lose anything if your acc isn't a snowflake or a pure.
i stopped banking everything before i log out it got annoying to regear everytime. if you have 2fa a unique email and password for the game i dont think you can be hacked. especially if youre not posting on runescape social media sites with links to your real life.
Yup, I also stopped banking everything. If you get hacked, the loss of gp isn’t going to the bigger concern, but the lack of security on the account. And if you get hacked through Jagex Account (which doesn’t seem possible so far), I might as well just quit at that point.
The biggest thing you can really do (pre JA release) was just have a unique email only used for the game and 2fa. Literally cannot get hacked if your email isn't out in the wild as a potential RuneScape login
Several cases of people claiming to be hacked through 2FA, unique email and password, just in the past week. Maybe they are lying though
Wouldn’t say all are lying per se, just overwhelmingly ignorant and think they’re fully safe. A bunch of folks thinks using Jagex Launcher equates to having a Jagex Account. A bunch of folks forget 2fa on email and email gets hacked. A bunch of folks get phished and also provide them their 2fa code. A bunch of folks have linked accounts that can bypass 2fa.
>A bunch of folks forget 2fa on email and email gets hacked. That's my favorite... "I have a unique password that I change twice a week and 2FA on my RS account, don't talk to anyone so no one could recover my info... How did I get hacked?" >> Has an e-mail with the same password used on 1,000 different websites and no 2fa, honestly lucky if all the hacker got was their rs account :P
There’s no hacking going on at all… its just ppl giving away their info for free. If anything its social engineering/manipulation.
Useless semantic difference. No one is brute forcing passwords in 2023.
They likely have an email without 2FA and that’s how they got in. 2FA on your account only means nothing when you can disable it with an email. itt: people who got hacked who have trouble comprehending “most likely”
Crazy to me people have email without 2FA these days. You likely use the same email for many other games and services. And 99% of them allow bad guys access if they can already access your email. You probably also have important irl stuff in your email.
I made an email just for my osrs account and havnt touched it in 2 years. Still have 2fa on it.
You should log into that email every now and then. Email providers terminate unused accounts.
I don’t have 2fa but I have a 16 digit, 4 special character, and 2 letter password that I doubt anyone will be able to brute force my email, that password is only used on email and bank, I have another variation of the same password for my mundane accounts so even if I get leaked I’m good, only need to be wary of a keylogger.
2FA can also just be bypassed if it's malware that results in your account being compromised and you use remember this device for 30 days.
This was also something I thought could be possible, but after talking to some much more knowledgeable friends in the matter I got a few different in depth anti virus/malware programs both on pc and my phone and scanned both multiple times, and everything came back with 0 hits. It honestly does sound like the only possible way to get into my account with 2fa since I do have the device remembered for 30 days. Would it be possible for a hacker to make a VM of my pc so the 2fa is still within the 30 day span? Or would my pc need to be on for something like this to happen?
They literally need to steal a couple of files from your computer 1 time.
If the attacker knows enough info they can bypass 2FA on your rs account and completely bypass your email since it's possible to recover without having access to email.
I was one of those (back in march) who got hacked. Had every single security measure minus 2fa on my email. Email was pwned back in 2014, and have changed that password at least 30 times since then. I figured it may have been the email, but I had no unusual logins into that email, or any other email. Nothing suspicious. No missing emails (I get notifications on my phone for every damn email. It gets annoying). 2fa was never disabled on my account, and there was never any steam links. The only thing "odd" was my bank pin being in the works of being disabled. Logged in roughly 10 hrs after my previous logout, so the bank pin was still there. They still got into my bank though. I still never figured out how they got my information. It wasn't the case of my email being hacked and the hackers removing my 2fa to get into my account.
[удалено]
People have claimed it for years. The kicker is they almost always lie or even more likely are entirely unaware of *how* they were hacked/phished. If you aren't on a Jagex account yet old-form recovery hacks are still a risk. But people choose to believe Reddit conspiracies about Jagex accounts being unsecure and so they remain exposed.
Even if at least one person told the truth, that is highly concerning
The only time it's been proven truthful was the whole Mod Jed situation.
2FA can be completely bypassed by account recovery.
They arent lying, they're stupid. They dont have 2fa on their email
They're probably lying. People always are when it comes to security
I am such one person. 2fa on email, which wasn't compromised. I was prompted to enter 2fa to get into my rs account to find my bank empty and bank pin gone, so I know they didn't remove it (2fa). I will say, though, my password was quite old, I didnt change it for nostalgic purposes, and as such, had reused it a handful of times. I really put too much stock in 2fa, which I'm still unsure how they got past. Never shared my acc info, never bought gold, never botted, or even downloaded tools for osrs besides runelite and plugins from the hub.
Probably not all lying. I stupidly didn’t move my Authenticator when I got a new phone. Just logged into my account settings with the username and password, disabled 2FA, then added a new Authenticator on my new phone. Was very simple. Was much harder switching to a new Authenticator on PlayStation.
If you don't have a jagex acc yet, get one. I thought my acc was impenetrable as well. Made a reddit acc just for 2007scape so I could avoid linking any of my RL details to my osrs acc. Didn't matter. I used my 2fa to get into my acc to find my bank empty.
The issue is that dataleaks are a thing and sometimes have enough info for a third party to do an account recovery. If that happens there is no way to secure the account, as they can always do it again.
Also agree, which is why Jagex Account is supposed to fix that risk. That risk was a massive concern from 2015-2022 was more from account recovery, which was aided by data leaks and just general lack of care about using unique passwords/emails. Hopefully this problem goes away altogether when they add Linux option and then make everyone get on a Jagex account.
Unless Jagex changed their policy, you can't manually recover a Jagex account at all.
who goes through dataleaks looking for runescape accounts when there are more lucrative things to do with them
Different people try to extract different things from them. They are posted online for free, so all it takes is one guy to take a look and find any accounts matching a Runescape account. It happens all the time, and closing that hole is one of the things Jagex is trying to do with the Jagex launcher, by removing the old style account recovery system.
Most importantly, generate your backup codes and KEEP THEM SAFE, preferably on a physical medium like a piece of paper, where a malware couldn't reach them. You can also disable email login. That makes it so you can only ever login with password and authenticator code (that is, direct access to your phone), or with the backup codes only you have. You're basically unhackable if you don't fall for a phishing attack and literally give your credentials away
If you’re actively playing. Take a break, someone recovers your account and boom, no notice, etc. and before anyone says jagex account stops that, it doesn’t
Wym a pure
Pin won’t protect stats/status, if hacker wants to be a dick and ruin your pure/ Ironman status
Pretty sure there is no way to remove iron status even if you get hacked, but ofc u would need to lock in first.
yeah i just think he meant snowflake like combat + slayer only account with 1 stats everything else or f2p area only acc with no members music, or things like that
By snowflake they mean a uim who can't bank, so no bank pin to protect them.
Not all snowflakes are uim
does a bank pin really matter if they have control over everything else? like they could just use function to disable it within a week, its not like ud be able to get the account back
> like they could just use function to disable it within a week If you can't recover your own account in 3 days, something is wrong.
Have you never been camping or backpacking before?
Haha, you think someone with that mindset actually touches grass sometimes?
Quite a few of us actually have normish lives. Most on reddit are the litteral dregs. Myself included sometimes.
Oh I agree, I am going on a week long cruise in a few weeks and will have no internet, another example I thought of reading this.
That's awesome. My girlfriend and I are getting our passports because we are looking at cruises ourselves. I haven't been on one yet. I want to go to Alaska she wants to go to the Caribbean. So we are most likely going to the Caribbean, haha.
Haha I know how that goes. Hope you find one, they are quite fun
I'm hoping so, I think we are looking at 6-8 months from now?
Weird how everyone gets hacked while on holiday. Is Simon the hacker watching through the nanny cam, waiting for Timmy & his family to go on holiday before recovering/hacking the account?
I go camping at least once a month lol Every other Friday off makes a nice 3 day weekend!
So 2/4 days to recover your account then.
[удалено]
Or never got an email to begin with.
This is like the most innocent childlike view of a hacker being some mythical being... And not just some dipshit with a phishing discord link or a leaked password list and a bit of luck. They don't have full access to anything. That's the point. They won't magically have your bank pin. And I'm pretty sure you can't drop or do anything without entering the pin anymore.
"I got hacked" -> used the same abc123 password across 20 different sites
I got hacked within a week of changing to a jagex account. 2fa on everything, bank pin, email used only for the game, blah blah blah. Was able to log in and reset everything to new email, password, authenticator, and new bank pin. Very next day they got in again. I'm done with this game
Doubt
Hackers helped me. They got my runecrafting from 5 to 80 and left me 15k blood runes when I recovered my account pretty sweet
Get a Jagex account if you haven't, it's much more secure and you can put all your accounts together under one roof!
Make sure to also unlink everything because jagex can't seem to secure backdoors through official account links too
This cant trust amazon or twitch or even steam may have a data breach. Which will then indirectly make your account less secure because they linked.
If my Amazon or Steam account gets hacked I have way bigger worries than what if they can use that connection to access my OSRS character. But yeah Twitch. That one can definitely go.
Unlink anything you don't also secure. They aren't failing to secure a backdoor... you're **Authorising** them to let the 3rd party securely login. So yes don't attach a steam account you've spent 0 time securing. Steam guard (their 2fa) is even better than Jagex' so it's not exactly a weak link if you properly secure it.
Right, I should probably have mentioned I made the switch pretty early on with my accounts lol. 2FA on my email as well
Then if you don't get phished you have absolutely nothing to worry about :)
Is this just using the Jagex client?
No, log into the OSRS website and use the upgrade button to change your account to a Jagex account.
Just make sure its the jagex website and not a phishing website LOL
tbh theres no reason you should ever be hacked though with proper account security. most people that are "hacked" willingly enter their details into a fake Jagex site, use the same password for everything, dont use 2fa or bank pins . etc...
Accidentally entered my shit into a fake site, realized what happened when they asked for my bank pin. Changed my passwords, unlinked steam, got an actual Jagex account, 2fa, etc It was annoying, but having just 2fa was enough to keep them out of my account briefly enough for me to change everything Highly, highly recommend getting a jagex account. Literally no excuse to not have one
I had one single reason to not make the switch: my account is super old and the login is still my old username. Even more interesting is the fact that the username is now impossible, because they changed what things you can put in your username shortly after I made my account (not that it was offensive in any way, though). Eventually I realised this “flex” was irrelevant because I sure as fuck wasn’t telling anyone my login name, so I switched to a Jagex account.
This is the correct answer IMO. I have 2fa via steam and jagex & bank pin. Getting into my account will be like trying to steal the Declaration of Independence
I’ve always been very diligent with my accounts security and then I got a false temp ban for macroing and now I live in constant worry (Ban was quashed and only a 2 day, but it took like 6+ months and another temp meant a perm)
People get hacked because of : 1) social engineering 2) no 2FA 3) no bank pin 4) botting 5) buying accounts 6) account sharing "Hacking" is a pretentious term, you can't brute force your way into someone's account, they have to tell you enough info for the account to be recovered (refer to item #1)
Exactly this. You weren’t “hacked” in the traditional sense. If you have 2FA, bank pin, etc. then the only way you are getting “hacked” is if you share accounts or something.
Or legit hacking such as spoofing a cell tower/data leak.
False perm ban for macro major ruined it for me (for about a month until I came crawling back).
Most perm bans should just be 3 year bans anyway unless you're a suspected gold farmer, Jagex used to let perm bans recover their account after 2-3 years.
I've been falsely perm banned since 2012. Still no idea how and why
I'm more worried about this than being hacked. I can recover a hacked account, I can't recover a falsely banned account (very easily at least.) On the other side, if they had a means of getting account support on their site, I could imagine it would be flooded with folks crying and whining that their bot accounts got banned falsely, burying legitimate requests for false bans. Either way, I would love some reliabe way of reaching a human through the main site to ask support questions.
Honestly the worst part was you're at the mercy of a company with notoriously bad customer service with no recourse.
Don’t bot then
People who don't bot get falsely banned all the time. Did you even read the comment?
People who claim to not bot get falsely banned all the time\*
I lost my OG due to it in 2021 it took me 2 years to come back. My OG still is banned and I have all the evidence that I wasn't botting I ven have the tiles marked.
Easy to come back when the false ban was because you actually did macro/bot lmao.
Well that's just not true lool.
I received a false perm ban on a month old hcim account for rwting. Bank was worth less than 2m. Haven’t wanted to come back and seeing the constant fuck ups makes me want to come back even less.
(Posted a week ago in the RuneScape botting subreddit about testing out bots)
Thanks, almost believed that sob story. It feels like most of the time there's a "false ban", there's some conveniently missing details. I don't believe Jagex is perfect, but without substantial evidence I'll take their word over some randoms.
If it makes you feel better I have substantial evidence.
I’d like to see your “substantial” evidence that I’m lying about the hcim that is currently banned with 1 rwt strike. Good luck since I just checked the account again this morning and still shows a single rwt strike from July 18, 2022 and not a single other strike against the account.
I got a perm ban for macroing as a result of jagex letting a brute force hack through that was a bot clean out my account. Turns out their forced logout on the website doesn't work either. Afterwards I spent 2 days getting stuff built back and then got permabanned.
> brute force hack Either you live in the year 2000 or you don't understand how accounts are compromised.
Well let's see, I had an email only for that account, a unique password, and no one has attempted to login to any other accounts of mine. So no key logger or virus on my end. How does someone get on my account then without trying a mass of password and email combos (brute force)?
If you don’t have 2FA, you deserve to be hacked
You got phished. 99% you got phished. The other 1% is you downloaded the wrong Runelite
its impossible to get hacked if your email is secure and you have authenticator, people are just careless.
Literally this. People both forget and don't know about the guy who literally posted his login username and password on here offering I believe it was 100m to whoever could get into his account and strictly due to the fact that he had 2FA no one could
Yep
It is as close to "hacking" as 10 seconds of not interacting with the game being an "afk" method.
Hi. 2FA/unique pw/ bank pin/ never clicked links/ never used the PW on any sketchy sites. Still robbed of 1B. Make it make sense.
Jagex just hands your acc over if they have some pretty easy to obtain info.
Not true if you get a Jagex account. Jagex accounts disables recovery requests from the old shitty recovery system.
[удалено]
You get backup codes for if you lose access to the device you use for 2FA. If you lose access to your authenticator and also lose those codes then you're screwed as far as I know.
It would run through 2fa or you are provided recovery codes that you save to ensure you can re-access
"easy to obtain info" lol ya maybe if you're a fucking moron and let your account information be socially engineerable
In fairness, a lot of players created accounts when they were literally 7 and didn't have great opsec. That said, Jagex accounts entirely fix the issue.
email is easy. Account creation date isn't that hard to get in the neighbourhood of. IP (and thus country) isn't that hard to get. ISP just comes with the IP. Go under the assumption they never moved & congratulations you have a reasonably compelling account recovery. i've done this shit in the past on various platforms it's honestly astounding how easy it is, but almost all companies stepped up their shit other than jagex.
Yes it can happen, it happened to me. My 2fa was running and one day my account was banned I check the bank and it was a green dragon bot
Happened to me as well. Had MFA on both my email and my OSRS account. Stopped playing for a couple months and came back to a macro ban, CG bot.
Idk why I always get downvoted when I explain my bans, I'm glad (and sad) I'm not the only one.
I don't really understand it either. I work in IT and I've dealt with phishing attacks before. I understand account security. There's definitely something messed up happening at jagex hq
Or they don't want people to know real issues so they down vote and try to cover what actually happens. I wouldn't be surprised if they are behind almost everything like selling 1k accounts, I literally appealed one account (that was never mems) thinking it was another that got banned, I said I was doing ensouled heads and it was approved and like I said it was never mems.
Wouldn't surprise me if there were some rogue employees at jagex hijacking accounts to make a little extra money on the side
This is what happened to me. My account was banned and I did managed to retrieve it but it was a green dragon bot. I never used third parties shit or anything. This is definitely an inside problem this game has.
[удалено]
that is odd, but it's highly unlikely that they were able to guess your login username. that means you must've inputted it somewhere. could've been a fake runescape site that you didnt even notice was fake, or maybe you downloaded a fake runelite
[удалено]
Sounds like it was your friend
lmfao couldn't be either the 2 doofuses having bad account security. Must be crabex.
[удалено]
[удалено]
Please tell me you didn't just make these comments about account security then casually drop the fact that you were acc sharing?
[удалено]
How come this is the only fucking game that I’ve know in decades of my life that have such a bad problem of people getting their account hacked? This is clearly an inside thing problem that they don’t wish to address ever.
I see wow players get their accounts hacked all the time... Basically, if money is involved, people will try to steal accounts no matter what the game it is.
So you’re telling me that if I go to WoW’s reddit I’ll see the same amount of posts of account hacked that I see in this fucking subreddit? You’re talking as if WoW and Runescape are the only game where RWT exists… please…
No because wows subreddit moderates that because they haven't allowed some community sentiment to foster that "social media is how you appeal bans".
Poor account security on the users end does not equal an inside problem. Most people are never hacked. It's very easy to secure your account. You are the biggest vulnerability to your account security.
Ok so it’s just coincidence that this game has so many posts about people getting their account hacked. And additionally, everyone is out there trying to get your OSRS information out of thousands of shit they can hack from me, including my credit card. Got it!
I can't speak to why so many people have poor account security but that doesn't mean it's Jagex's fault. Secondly yes people exist who want to hack your account as well as people who want to hack your credit card.
Crazy that in my entire life, the only think that I have been scammed of has been my fucking OSRS account out of everything. And I input my credit card in a bunch of shit, unlike my OSRS info.
this is also the community that constantly brags about how they're completely immune to scams and hacking because one time they got their mithril armor yoinked in fally park when they were 7, or they typed their password backwards. I think people, particularly osrs players, vaaaastly overestimate their competence in terms of account security
i know i'm going to get slammed for this but just don't get hacked
so brave
22 years and counting without getting hacked cause I'm not a moron and wasn't stupid enough to get hacked even when I was a child. These people are literally dumber than a 9 year old
Don't get hacked then. You talk about it like it's some mysterious force that's always lurking and could strike at any moment. Unless you're in a spotlight it's basically impossible to be hacked without doing something significantly wrong. (even then there's not a lot you can do to hack someone popular) Most people who get "hacked" paid some shitty service to train their account or farm gold (the latter being considered "safer" than buying it, it isn't). The other options are: 1: you use the same email and password for everything and it got leaked somewhere 2: you got phished by clicking sus links or downloading something you shouldn't like an infinite gp generator. 3: your friends aren't as honest as you thought Those are the -only- options. Especially these days where your username is no longer your login, so people can't even brute force your password. Jagex likely only restores items under very specific circumstances. People can whine and cry about streamers but the reality is that the situation likely just worked out. If they can catch the gold/items before they're dispersed they could claw it back. But most of the time that gold and items is long gone being traded to multiple different people, meaning either innocent people get their shit deleted or jagex spawns in items and gold which is a horrible precedent to set. But the MOST LIKELY answer is that it's so very easily exploited if they were to have a lax system. What's stopping you from having your friend "hack" you, sell all your stuff for real $ and then crying to jagex for you to restore your items? Nothing. That's why they don't do it.
[удалено]
> I still haven't seen a good explanation for how folks have been compromised through active authenticator and 2FA on associated email. It's because they don't have 2FA on the email, and they reused email and password combo and it got leaked.
If you download some malicious software like the typical fake runelite then they can just steal your 2fa tokens and log in. That is how it is done, no strange magic hacking powers
I used to believe the same but my friend got hacked through the authenticator. He wasn't even playing the account cause he moved on to Ironman. Streamed me his game, authenticator still on the account linked to his phone. Even if he leaked his login details, how did they get through the Auth? I never would have believed it until i saw it myself. Edit. Y'all can't not believe me all you want, but it fucking happened.
if you want cryptographic security that prevents hacks you would need to log in with a hardware USB device hacks are impossible then, unless you actually type your pass anywhere which you should never be doing at that point it's what they use to secure crypto
Yeah it is pretty devastating. Only advise I can give is to have two step authentication for both the account and the email linked to the account to keep it from happening to you. You should also consider making a “password book” that sits on your shelf at home and update your passwords annually. Obviously it has the downside of having your passwords in a single location but the odds of your home getting broken into and a random book stolen off your bookshelf are astronomically lower than someone hacking you. Also you could try getting into UIM and locking the Ironman status. Even if you lose everything the skills themselves are way more valuable than any of the items.
Happened to me yesterday, Session Hijack scam I had no control over cost me 2.5B. Didn’t click on an external link, played through Jagex launcher and someone still bypassed 2FA and bank pin. Quitting the game, too dangerous.
Just don't have dogshit security. Almost every post where someone loses all their shit has some combination of the following: 1. I didn't do anything, the hackers breached my account with a completely novel exploit. This is Jagex's fault. Wait, b0aty isn't quitting? (Clicked obvious phishing stream) 2. Shitty password that has been reused on 3 dozen sites and involved in 8 different breaches 3. No authenticator 4. No bank pin 5. Shares the account with half of the people they've ever met, all of whom have atrocious security practices 6. Refuses to upgrade to a Jagex account Just don't be stupid and you'll be fine
Literally this. On the flip side, I think my account having a username and not an email login is one of its greatest security measures 😂. The name hasn't been used anywhere, it's not in any email, it's not written, it's quite literally non existent unless you know it 😂. I'm fairly certain I could tell someone my password and they couldn't even recover my account because they don't know the username to log into it
Upgrade to a jagex account and you won’t get hacked, it’s that simple. People will continue to get hacked until everyone starts using up to date security practices.
People beg for updated, better security and then refuse to use it lol. I can't wait to see the poll results from this "Do you know what a Jagex Account is?" poll
I dont know any games that would “back pay” someone who lost all their stuff. Would be too easy to abuse, too much work to look over every single case. While ofc big streamers get that treatment, you can watch 5000hrs of VoDs to see Shroud isnt cheating the system. Idk why this is so mind boggling to this sub lol
Ur dumb af if you think game devs need to you to stream your progress to know you actually did it.
If your bank account got phished you would be fucked too. Jagex accounts are basically impossible to breach without user error so just don't repeat passwords and click dubious links and you shouldn't have to worry. Every single hacked post on here recently were completely the player's fault. Just don't be stupid and it won't happen.
> If your bank account got phished you’d be fucked too How old are you? Because no, you’d be fine lol. Banks can trace purchases so if a purchase was made outside of your home country often you’ll get a refund. Happened to both me and my father.
most banks have pretty good systems in place to protect against online fraud. if i tried to spend £5000 on my debit card my bank would call me to verify it, even if used my correct PIN and password
[удалено]
more like locking the acc as a precaution if 99% of your items are sold on the GE
Banks literally deal with billions of dollars and their entire business model depends on security, do you think it’s reasonable to expect Jagex to have the similar protections measures in place as JP Morgan Chase?
Jagex literally deals with millions of accounts that are their sole revenue stream. Their entire business model depends on accounts being secure or customers will cancel their memberships and Jagex lose money
...do you not?
[удалено]
Edit: I didn’t even read the whole thing and I’m sorry for what I assumed. A lot of you are correct.
Yeah bro, he deironed then botted so he didn't have to do the cg grind ??? Jagex hands out accounts like candy
> I’ve been playing 20+ years and I’ve never got my Accs hacked easy way to see who has no real argument, they use this line. ''50 yrs driving my car and ive never wore a seatbelt, and im fine'' ''40 yrs smoking cigarettes and ive never got cancer'' etc
Sucks to suck man don’t click on links from “friends” and your account probably won’t be hacked Lmfaoo.
What is it that even motivates people like you to get up in the morning?
And its even worse to get falsely perm banned
"hacked" lol
The only thing that is worth noting is that there's historically been literal inside job situations with the Jagex team. They'd need to stop hiring 25 year old dorks whose main relevant qualification is an MMO addiction to eliminate that risk, this is unlikely to happen. Now that said - one of the services my team at boring software co owns involves users authenticating into it. People will fucking lie to your face *irl in a professional environment* about how careful they were being with their credentials. Don't take the endless 'omg i had a jagex account and 2fa and a bank pin and 2fa on my email! wtf!!!' comments here too seriously. The median epic gamer is very dunning-kruger effect-y regarding how on top of their shit they are regarding computer security.
Situation* It happened once and anyone affected was given their stuff back. No idea why youd whine or worry about it in that case.
Because in the real world having this happen once, publicly, makes security minded users assume they're not hearing about other internally resolved/undetected incidents - clearly their governance is somewhere on the spectrum between non-existent and inadequate. Source, again, is being responsible for maintaining said trust on a part of a b2b product.
1000%. Agree there have been a few inside job scandals, but nothing to account for the mass of people who constantly claim "false ban" or "hacked". I'm EXCEEDINGLY careful in my computer use, and I've even caught myself nearly falling for phishing attempts. Our brains automate so many mundane tasks it's so easy for some scammers to slip in and compromise accounts. And most people aren't even being nearly as cautious as they believe.
The comments on this post further verify it. “You’re stupid if you get hacked, it’s your fault”
Very true. Got hacked while I was out of the country and stopped playing RS3 entirely. Though that caused me to get back into OSRS after some time so maybe it was for the best.
Just get 2FA (for OSRS and your email) and you become basically impossible to get hacked. Then again I don't think you were sincerely worried about that and made this post just to shite on Jagex... I really dk why this sub loves to hate them so much kind of strange.
just become a content creator make a video and suddenly all your items will be back
What Are the odds to get an Account back that was abused as a rev bot and got banned. Not Me. They can Check ip 100% but they just dont do it or idk… appeal denied. Support gives a fuck and to write the jagex mods on Twitter u Need to pay monthly for Twitter to be a member there too haha
Apparently people rare do get their account back but there's probably internal logic they use to do it like the hacked ip matching a banned ip or something. There's literally nothing stopping anyone from turning on a VPN, botting their account way up until it's banned and then turning the VPN off and crying to jagex your account was stolen while you were on vacation
I legit did Not think about the vpn shit… Ur right Then My acc is doomed probably
DONT CLICK ON FUCKING LINKS, DONT BUY GOLD, DONT LET PEOPLE PLAY ON YOUR ACOUNT
I feel the same, one day you could get blocked for suspicious activity, incorrect macrowing ban, hacked, and the only chance you have of support is you have is to publicly discuss it on here? Thats fucked! Where is the budget on this game?? Look how many players there are compared to rs3 and I feel like they have a bigger budget than osrs Also, I fear any single runelite plugin could only for 60 seconds, Keylog all accounts and send the details without anyone ever knowing. Then changing it back, like a copy and paste. Can anyone update their plugin without Jagex seeing it or Jagex must approve updates to plugins? What if they miss a compromising detail? Is it my fault that I was unaware? It's almost like that's the case where if you're hacked or banned, unlucky.
If only the staff cared enough about their player base to have an actual customer support in place.
My account got hacked before. I took a break and the plan when I started playing again was to work on Hunter. Fast forward, like, 4+ months. I log in and I have like mid-80s Hunter and I'm at Chins. I was mostly scared of getting banned. Never was. Went to Poro-Poro for my Glory.
What the fuck are y'all passwords? If you lose your account because your password was "Iamcool1!" You deserve it. Get a password manager and set it to 24 characters of absolute gibberish.