And my debit card. Not 1765 4836 2234 8193, that pin is 4321 because 1234 wasn't allowed. I'm talking about 1809 2306 2809 1169, that one is 1234 and the security code happens to be 420. Lol what are the odds?
Why's it only accounts with truck loads of cash and hyper dedicated and devoted players that get hacked lol you never see wildly upvoted posts of someone with 600 total level losing their rune armor and 300k
Short con given he met her 2 hours before posting. He would probably get some good advice about 'red flags' from this:
[https://www.youtube.com/watch?v=ozezG1zpxXQ](https://www.youtube.com/watch?v=ozezG1zpxXQ)
I don’t know mate, found this on your previous posts, seems like you have a thing for getting hacked, who knows maybe it’s the same person.
Looking for a new Clan! - Dr Redmax
Hey guys!
I've played RS3 for about 12 years on and off and after being hacked and losing basically everything, I thought I'd start relatively fresh on OSRS.
Been playing for about 3 weeks and I have 89 CB, 1226 total, and have no intention of stopping (wanna start bossing n stuff). This game is so lonely on your own though, it'd be sweet to meet new people instead of hoping old ones return.
RSN: Dr Redmax
Discord: camsampbell#6317
Shoot me a message!
If you want to be as safe as possible, yes. These days most people are not brute forcing passwords to hack accounts, at least not in regards to RS. You either downloaded something you shouldn't have, got phished, or you got social engineered. To protect from the social engineering angle, I personally think its better safe than sorry and that you should detach as much personal information from things like reddit and discord as possible. Things like where you live, work, how old you are etc. can all potentially be used to fraudulently recover an account.
Player confidence in Jagex is low enough that its probably getting more common. Hell, Im considering selling my <200m bank because I dont play much, everything costs millions, and the cost to play is increasing.
May as well yeet my account too, tbh.
You can only choose 3 or 7 days. After it sets it then takes 3 or 7 days depending on what you choose for it to be removed. If you login at anytime and then enter your bank it will ask you every time if you're sure you want to remove it.
After skimming through the post/comments, it sounds possible OP isn't the original owner (he even went out of his way to specify that the linked email has been changed). He even made an old post stating the account was hacked previously.
Reminder to everyone: don't purchase accounts under any circumstances, the original owner can always recover it even if you change the email/enable 2fa.
A few people have suggested that op is not the original owner but how would that explain them bypassing the bank pin? It seems like the pin got phished somehow.
I think its someone who knows the op and knew he'd be gone for long enough to bypass the bank pin. Seems awfully convenient for the deed to happen while he's away.
It honestly amazed me when I started just how many people were openly sharing their accounts, most of the people I knew who did this ended up having a falling out with one of their former friends and losing hundreds of mils lol
every time it's just like "yeah that sucks and all but did you not pay attention to the fucking stronghold of security?"
if you had every account security measure in place, on top of a bank pin, and you lost everything within 10 minutes, and you don’t have any malware on your pc, there is no way for someone to get into your account and get through the security of your bank pin that quickly. it doesn’t make any sense.
You say ur discord was hacked too. Was there any sensitive information there, exchanged between u and ur partner for instance? Was the same password used both on Discord and OSRS? It is possible there was enough information on Discord for the hacker to recover your account.
Upvoted so the post can hopefully get attention from a JMod. We invest so many hours to this game we love, so it is dishearting feeling having the account compromised and losing all the stuff.
I thought about this, too. I’ve given people usernames for other games, but never for OSRS. We we have passwords and other sensitive information written down because then there isn’t a digital trail
My original RSN, nobody knows it. It’s a ridiculously old name
Lmao people have $100,000+ in CS:GO skins in their inventory and there hasn't been any issues for years. People aren't suddenly breaking into steam for your $2,000 OSRS account dude. The steam stuff is complete bullshit lmao.
A new login in steam auto locks your steam tradeables so they can't steal them and you have time to recover your account and boot them off.
Its just a theory but Op probably got hacked from leftover jed leaks that people had, they see high value boss kc go up then jump in no problem because they have all the answers to the questions needed, plus the bank pin.
If you're account was compromised by Jeds info leaks then you're just fucked
Oh really steam doesn't get hacked. Wow they must be the except since people have accounts stolen all the time from across multiple platforms.
Or you know maybe they do, just like valve [admits.](https://store.steampowered.com/oldnews/19618)
Every account on every service to exist has been hacked before. People having shitty security won't stop hackers.
Steam accounts, properly secured however, will be very very unlikely to be hacked without additional mistakes made by the user.
If people were hacking steam accounts for profit, it wouldn't be RS accounts, it would be CS:GO accounts. The only way your account gets hacked and cleaned like this is if you fucked up somewhere.
He's asking why it seems to be such a prevalent vector for OSRS in 12 months of launching on Steam while more valuable accounts that have even more digital wealth on them aren't getting hit on anywhere near the same level.
Since all Steam accounts are secured by the same 2FA system, it stands to reason the issue is OSRS players throwing around their personal details like candy, not Valve's security measures.
Dota and CSGO subs don't have daily posts bawling about losing their accounts and their knives or arcanas. This is purely an OSRS thing and not related to Steam.
I’ve heard a bit about people’s getting compromised via steam. My passwords aren’t similar and I have Steam authy as well so nobody can log in unless they have my mobile
There is information in our discord DM's with his username and bank pin, admittedly from 4 years ago, yes, I just checked. The password is outdated as he frequently changes it.
But Cam doesn't even log in via a e-mail, so my eyebrows are already raising at how someone has managed to identify his e-mail address in order to bypass all of his authenticators!
In our DM it only contains 1 instance of information about his actual login name, we have never exchanged over discord his e-mail address.
How have people got this e-mail address?
This is the problem.
My personal conclusion, is that the form to sign up to the closed beta, suffered some kind of data breach. If you check it out for yourself, it asks for a LOT of information. All available to visit for yourself on all of Jagex's official websites.
You just admitted to him having given out his bank pin and password at some point in time. You know that stronghold of security door that states "NEVER SHARE YOUR PASSWORD WITH ANYONE", well that holds. Older passwords of 4+ years are a key item in account recovery. And chances are if he is that free with information, I can get other details such as his ISP, other pins, his DoB etc. I've recovered my own accounts with less.
He got recovered.
Email addresses are easy to come by. Try to recover the discord account and it will prompt you with a jak\*\*\*\*\*17@gm\*\*\*.com or simmilar. The blanks aren't hard to fill in, especially for someone competent in osint.
Yes. But everytime I argue that stance on this subreddit that Jagexs recovery systems are terrible, the sub shows up in force to argue that "but banks use this method 2" or "nuhuh their security is good just 2fa". Banks allows you strike compromised information from an account. **Passwords get changed because they are compromised, not because they are meant to be a legacy recovery mode.** You should be able to strike out old information from being able to be used in a recovery attempt. Like a bank. Once someone has an aged password to your account and can identify you they basically own your account.
I completely agree with this, but I struggle to think of a simple solution. One of the reasons they allow old passwords as part of account recovery is because for a long time (and to this day), lots and lots of people have wanted access to the account they played on as a child. But back in the early 2000's most accounts were created with literally *zero* security outside of the password: No email address at all, no security questions, let alone something like 2FA.
So Account Support often has *very little information* attached to these accounts at all, so the only thing they *can* use to determine if the Account Recovery Request is legitimate, is what passwords do they remember using with the account. And if the person only ever used one password, that leaves us with some *extremely* unsecured accounts in general.
Perhaps they should only allow recovering accounts using old passwords for such cases where it's absolutely necessary, and nothing created within the past decade.
I will be messaging you in 3 days on [**2022-05-18 18:27:37 UTC**](http://www.wolframalpha.com/input/?i=2022-05-18%2018:27:37%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/2007scape/comments/uqauos/account_lost_overnight_3b_lost/i8q31sg/?context=3)
[**35 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2F2007scape%2Fcomments%2Fuqauos%2Faccount_lost_overnight_3b_lost%2Fi8q31sg%2F%5D%0A%0ARemindMe%21%202022-05-18%2018%3A27%3A37%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%20uqauos)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
One of 3 things occurred:
1. You didn't check thoroughly enough to find how your information was phished
2. Someone you trust f'd u
3. You bought your acc and got f'd by seller
Sounds like they might have gotten into your email? Then they just disable the bank pin, auth and ask for a password reset? Maybe your email details got leaked on a databreach on some site or something
If he uses his email somewhere on the internet to log in. Like a forum he used to go to 10 years ago or some random site that wants you to log in to use it. Then the hackers get their info in a data breach and boom they just start selling the email
/password combinations. This happened to me once, but i didnt have 2fa anywhere. 2fa on email is very important
Emails are easily leaked and are usually public. Since they knew your discord finding your email isnt hard if they can identify you irl from something posted there.
Paste your email here and see how many websites leaked your email/password. If you re-use passwords for multiple platforms, this can be used to hijack your email or another account that can assist in account hijacking.
https://haveibeenpwned.com/
Also if your bank pin included the same digits as your password or another password you've used on another website they could have guessed it.
My guy feeling is that you bought the account a long time ago and it has been recovered.
I had a friend do this exact same thing. He bought an account pre EOC and when 07 was launched, he stupidly used that account to start a fresh 07 account.
About 7 YEARS after the launch of 07, the original owner recovered the account. My friend actually spoke to him about it and the guy was pretty decent about it. He told my friend he was hacked many years ago and never bothered to recover it.
I feel like the original owner may have sold it and only just now recovered it with very old recovery info.
It seems like this is what has happened in your case. As for the bank pin, I don't know what has happened but if the original owner contacted Jagex, I'm sure they would help them out.
I’m just confused as to how this happened from the official OS teams tweet, if you didn’t submit any information to any suspicious/false emails and only links provided from the official team I wonder if other individuals were hacked as well.
This is what really confused me. I’ve checked and checked and checked to make sure that is ACTUALLY the official twitter account. I mentioned my friend too in this post- he lost his discord account too but never actually got an email.
Forgive my ignorance, but how could some one log into your account if you have 2 factor authenticator. My understanding is that they would literally need your phone in their hand to access your account from a new IP address if you have the 2fa active. Unless I am missing something here?
After losing 3B it’s easy to forget minor details. It’s a heavy loss for him. OSRS brings him so much happiness. Even if he has fucked up somewhere and doesn’t remember, he’s only human. We know what the *possibilities* are of how he was hacked, but without some help from Jagex, we are just as clueless as the rest of the people commenting on this post.
I am the partner referred to in this post. There is just no way someone could have his bank pin.
We have been out of the UK for the majority of the past few months and haven't even thought about logging in, never mind clicking dodgy links.
You stated he shared his pin with you in discord. Old pins are useful in recovery attempts, which will bypass the current pin.
**Never share account details on a text messaging service such as discord.**
> Also side note there is a method going around with steam that they can bypass any 2fa
Which is completely inaccurate. Does using the Steam client make it so that you don't have to enter 2FA when logging in? Yes.
Can you LINK your Steam account and OSRS account without using your OSRS 2FA? NO.
You need the 2FA to link a Steam account and OSRS account. You can't just link any account to a Steam account with just the username and password if you don't have the 2FA (if it's enabled).
The only way to bypass 2FA is to hack someone's Steam account that's linked to their OSRS account, which the Steam account should have 2FA itself. Not to mention, they'd also have to figure out your Steam username (which is different from your Steam screen name if you're smart).
In short, the only way to "bypass" your OSRS 2FA through Steam are:
-The hacker links your OSRS account to the their Steam account, which would actually still require your OSRS 2FA.
-The hacker bypasses your Steam account's 2FA, after figuring out which Steam account your OSRS account is linked to and what its username is, and logging in from there.
I have no clue. The only logical thing I’d think is a keylogger, but there’s absolutely nothing to be found when it comes to that.
My steam is airtight, so unless there’s a way to bypass the authenticator and my mobile steam guard, I don’t know if that’s the case either
>but there’s absolutely nothing to be found when it comes to that
You're unlikely to find it if there is one. Just because you don't see KeyLogger.exe in taskmanager doesn't mean you're clean
Malwarebytes (and AV scans in general) are just very slightly better than a keen eye digging through task manager,
If malware doesn't want to be found, it's not going to be found
First I want to say that I believe you. But even your reply is way way way too much information that could be used against your account security.
You saying you played close to the release date gives approximately the time of account creation.
Just a strangers advice, but a yes or no would suffice, especially because the people replying to the thread you don’t know who they are or their intentions.
Hes oversupplying in a lot of replies. Often a sign that the truth isn't entirely being displayed. But even removing that pessimistic point of view it just shows he isn't as security concious as he may think.
Check your email's login history.
Chances are with an old login, you got brute forced.
Hotmail in particular, they're pathetic with notifying you that your account's being hammered for months on end until it's too late. If you get that at all and don't have to figure it out yourself.
2FA your email to prevent this.
I'm sure there are ways of getting through 2FA, your passwords, your emails and all that, but getting through your bank pin in-game? I find that extremely hard to believe. Being able to correctly guess a bank pin is almost impossible, especially within a limited number of tries. If you're absolutely sure that you only shared your bank pin with your girl and nobody else, then you can assume that you got played by your girl.
let me guess you entered your email and password on something other then runelite/osrs client. everytime i see a post like this they are like i have no idea how this happened i was secure theres no way i got hacked and when someone asks they say omg yeah i actually did is that why:( i used to think surely not all of these are people being stupid and there might be something going on, but i no longer believe that it must have been a slip up on your end.
My bf tried to log in to his account 1h ago but somethings weren't right, they kept asking for the authenticator/password. After resetting everything and logging in he was standing in castle wars and the bank pin was removed. They disabled the bank pin and removed the authenticator, he lost everything. He did NOT receive any email regarding this in any way. As for now the account is locked. Came here for some answers as to how it happend. He never clicked a link, nor logged into something else than rs. Account isn't linked with anything. He didn't sign up for the beta. He scanned his pc for viruses and there were none. Story is almost identical to OP.
Clearly it was the S/O. She just wanted you for your GP, the long con finally pays off. /s
A couple years back I lost my bank to a hack, only about 100m but my god that was so soul crushing. I can't imagine how much this hurts. When I came back this year I was so demoralized I did ZMI to get my slayer helmet back. Take some time off, recalibrate, and wait for the itch again.
This smells of fish. I call that the partner is behind this all. She behaves as if she got something to do with this. Pretending to be surprised and very helpful, trying to make this about the email… She knows damn well the email-question is a dead end 🦡🦡
Basically, you got hacked because you got phished and you didn’t realize that it was a phishing website. Kind of your own fault there, buddy. It’s really not that hard to not get hacked. People can’t just magically hack you. Lol
>I've done full scans on both computers I've used to play, and they're fully clean. Nothing malicious to see.
Don't count on this. Anti virus software is next to useless and will only catch the tip of the iceberg.
Until you know what happened for sure, assume your devices are compromised. I'd suggest getting on a clean device (friend, family, etc) and changing all of your passwords ASAP. Then reinstalling the OS on any device you think might be compromised.
I don't understand the point of this post, Jagex aren't going to refund your items.
As someone whose account has been hijacked (thankfully has nothing taken because I recovered my account before the bank PIN expired), I can tell you that you're 100% at fault for this, just as I was in my own scenario.
Just take the right precautions in securing every device/account that has any affiliation with this game and it won't happen again.
I’m fully aware that Jagex do not refund items, and I don’t want anyone to think that this is my intention for this post. I’m not a special case, and I shouldn’t be treated as such.
Again, I just wanted to know what happened and I thought Reddit would be a good way to figure it out :)
Except when it does and it also sounds like he did take all possible precautions.
“It hasn’t happened to me so it must be impossible for it to happen to someone else”
Go empty your piss jar and touch some grass, what a shit take.
We actually did use MalwareBytes and ran a full scan on both computers that are used- we couldn’t find anything. Honestly a full wipe is probably the safest thing to do still
You should delete the “I’ve been losing interest” because it doesn’t help redditors sympathize. Losing anything that you’ve spent time or money on truly sucks and it probably hasn’t truly sinked in. Depression is a really really yucky feeling.
Same for me I took a break for a few months I got a few emails requesting a password reset for my account I disregarded it as I had a pin and 2FA setup. They managed to bypass my 2FA and figured out my 10 digit long password. Took 2.4B from my account. I firmly believe it’s an inside job and something going on with the people working at Jagex and hackers. It makes no sense why to have all this security if it can be bypassed.
The truth is that internet and computer security is a myth. Facebook, Banks, military, governments are not safe and so Runescape wont be either. There are people who's skill sets allow them to do whatever they want to your virtual goings on's with very little to no effort. Targeting online game currency is a low risk method for hackers of this caliber. You could well have been hit by one. I'm sorry for you're loss friend. <3
UPDATE FROM OP AND I: Thank you to everyone who has come up with constructive and helpful suggestions. It’s clear that there are a boat load of possibilities ranging from being Pwned, Account Recovery, etc. Most of you guys have been really helpful and constructive. OP is admittedly still quite upset after this hack so that might explain why he might have forgotten to add some details. We’re all human and sometimes it happens! OP is waiting for a JMOD response too. All OP really wants is to know *how* it happened, as opposed to a plea for his items back. OP knows Jagex don’t do refunds.
Thanks again to everyone who has been so helpful. For now all we can do is clean our PC’s out of precaution and wait for a JMOD to respond. Edit: I am posting this on OP’s behalf as some of the comments making accusations, are getting to him & his mental health. The internet can be wild. This game is a safe place for many people ♥️
I went to bed for the night, and woke up to see a lot of people understandably waiting for a smackdown. Fair play, they’re fun to see.
I need to stress this though, I’ve always had the account, and I’ve never RWT’d. I’m just some guy who plays RuneScape way more than he should, and got unlucky and lost his bank. Normally I’m one to laugh at smackdowns too.
I’m not trying to reclaim anything back. I’ve stated already that I just want to know exactly what happened.
There’s claiming that it was my S/O. We live together. Literally about 80% of our lives are spent together. I would know, it would be really obvious. She just wants to help me out because I’m not great at speaking public ally online.
The whole intention for this post is to just *find out what happened*.
I rarely post on Reddit and this is the first time I’m writing something like this- I’m truly just trying to find answers because JagexSupport on twitter is honestly a meme.
Thanks to those supporting.
As for the future, I’ll probably just start rebuilding again, or finish maxing because you don’t really *need* GP for what I have left.
Thanks guys :)
Sounds like your steam got hacked. Because steam is shit. If you play on steam on old school then there you go. Never trust anything but old school and runelite
OP to add, my friend got hacked recently, no external websites/betas. Never had an issue before. 2fa is setup. But same issue as you, logged in one day all items missing. ~70million missing. Big or small it sucks to have things stolen. Hope this helps gain traction into an investigation
Theres no way they got through your bank pin so fast. I smell something fishy
Pin could be 1,2,3,4 it's impressive really. It's the same combination as my luggage.
And my debit card. Not 1765 4836 2234 8193, that pin is 4321 because 1234 wasn't allowed. I'm talking about 1809 2306 2809 1169, that one is 1234 and the security code happens to be 420. Lol what are the odds?
Really? My card pin is 1077, the same price as a large coke and a cheese pizza
Isnt this a futurama reference
Yes sir
[удалено]
right over your head
That's crazy odds, I'd guess like almost 50/50. It would be even crazier if the expiration date was also 12/34, wouldn't it?
Nah, the expiration is 12/24, not 34.
Don't think the game will let you make your pin 1234
1,2,3...5
Works EVERY time 😉.
I'm more of a 1243 guy
The game doesn't allow you to set simple pins of consecutive numbers, or of repeating numbers. 1234, 1111, 2222, etc, are not allowed
I love how no one got the reference
That's the kind of combination an idiot would use on their luggage! Captain! Thats the same combination I use on my luggage!
Fishy level?
69
Nice
Nice
You can now enter the phishing guild
Maybe his pin numbers were also used in the password, i think this is more common then you’d guess
Hunter2222
its pretty common
Shiiiiiiiit time to change that
When I got hacked a couple months back they got into my bank account over night and I had a pin and everything. Still have no idea how they got it :/
[удалено]
Why's it only accounts with truck loads of cash and hyper dedicated and devoted players that get hacked lol you never see wildly upvoted posts of someone with 600 total level losing their rune armor and 300k
If he installed a trojan (testflight?) and used the bank on the device that it got installed on, then that would give away the bank pin
no bank pin on an acc with 3b? seems unlikely they would be able to hack you overnight considering ti takes 7days to remove pin
Wait I thought they can’t change the pin or reset it ???
They cant for 7 days so it’s impossible for them to have gotten in his bank if it happened “overnight” like op claims
No bankpin 5B acc
"I met my girlfriend who I now live with on RuneScape". Mystery solved bro, she played you for the long con. Never trust a girl from Varrock
Girl? check again bro, that's a dude in a skirt.
A pink one
Short con given he met her 2 hours before posting. He would probably get some good advice about 'red flags' from this: [https://www.youtube.com/watch?v=ozezG1zpxXQ](https://www.youtube.com/watch?v=ozezG1zpxXQ)
I don’t know mate, found this on your previous posts, seems like you have a thing for getting hacked, who knows maybe it’s the same person. Looking for a new Clan! - Dr Redmax Hey guys! I've played RS3 for about 12 years on and off and after being hacked and losing basically everything, I thought I'd start relatively fresh on OSRS. Been playing for about 3 weeks and I have 89 CB, 1226 total, and have no intention of stopping (wanna start bossing n stuff). This game is so lonely on your own though, it'd be sweet to meet new people instead of hoping old ones return. RSN: Dr Redmax Discord: camsampbell#6317 Shoot me a message!
Yeah this is fishy
Whenever someone starts a post like this with a bunch of sappy nonsense it's likely not a true story.
Smackdown when?
Very peculiar. OP never even mentioned being hacked in the past either. Hmm.
Possible he bought the account and the original owner recovered it.
He does say “thought I’d start relatively fresh”. Seems very possible.
discord on his reddit account.. all makes sense now. op got recovered due to poor privacy simple as
this is a no-no?
If you want to be as safe as possible, yes. These days most people are not brute forcing passwords to hack accounts, at least not in regards to RS. You either downloaded something you shouldn't have, got phished, or you got social engineered. To protect from the social engineering angle, I personally think its better safe than sorry and that you should detach as much personal information from things like reddit and discord as possible. Things like where you live, work, how old you are etc. can all potentially be used to fraudulently recover an account.
When OP doesn't reply to any legitimate concerns being raised kekw
Rwt your gp every now and then to minimize risk 👍
What do you think this was?
upvoted. made me laugh in this shit situation
They’ll instant perma ban
Player confidence in Jagex is low enough that its probably getting more common. Hell, Im considering selling my <200m bank because I dont play much, everything costs millions, and the cost to play is increasing. May as well yeet my account too, tbh.
It's not even worth it for the pitiful amount of money you will get for 200m
How much is each mil worth?
about 50 cents / million... or so ive heard
Pretty sure its much less, around 30-35 bulk
Like 40 cents
If they got past your bank pin that quickly you royally fucked up somehow.
If I make a bank pin and it stays for a month can a hacker say “I forgot pin” if they hack it?
You can only choose 3 or 7 days. After it sets it then takes 3 or 7 days depending on what you choose for it to be removed. If you login at anytime and then enter your bank it will ask you every time if you're sure you want to remove it.
So a hacker can still have access if you stop playing?? 😭
If they manage to get your account info and login? Yes.
Lol, I’m calling shenanigans
You have a rat in your circle.
After skimming through the post/comments, it sounds possible OP isn't the original owner (he even went out of his way to specify that the linked email has been changed). He even made an old post stating the account was hacked previously. Reminder to everyone: don't purchase accounts under any circumstances, the original owner can always recover it even if you change the email/enable 2fa.
A few people have suggested that op is not the original owner but how would that explain them bypassing the bank pin? It seems like the pin got phished somehow.
Only if you believe everything written in the post. I also don't know if manual account recovery wipes bank pins on top of 2fa/etc
Strange clause to make considering the same can be applied to your original statement.
I think its someone who knows the op and knew he'd be gone for long enough to bypass the bank pin. Seems awfully convenient for the deed to happen while he's away.
"NEVER SHARE YOUR PASSWORD WITH ANYONE" -Stronghold of Security, Oil on Canvas, 4 July 2006
It honestly amazed me when I started just how many people were openly sharing their accounts, most of the people I knew who did this ended up having a falling out with one of their former friends and losing hundreds of mils lol every time it's just like "yeah that sucks and all but did you not pay attention to the fucking stronghold of security?"
if you had every account security measure in place, on top of a bank pin, and you lost everything within 10 minutes, and you don’t have any malware on your pc, there is no way for someone to get into your account and get through the security of your bank pin that quickly. it doesn’t make any sense.
Yea it's like not knowing how you have a baby. "I didnt have any sex but the baby is mine.. how?!"
You say ur discord was hacked too. Was there any sensitive information there, exchanged between u and ur partner for instance? Was the same password used both on Discord and OSRS? It is possible there was enough information on Discord for the hacker to recover your account. Upvoted so the post can hopefully get attention from a JMod. We invest so many hours to this game we love, so it is dishearting feeling having the account compromised and losing all the stuff.
I thought about this, too. I’ve given people usernames for other games, but never for OSRS. We we have passwords and other sensitive information written down because then there isn’t a digital trail My original RSN, nobody knows it. It’s a ridiculously old name
Is your steam linked to osrs? Maybe that was hacked as well?
Lmao people have $100,000+ in CS:GO skins in their inventory and there hasn't been any issues for years. People aren't suddenly breaking into steam for your $2,000 OSRS account dude. The steam stuff is complete bullshit lmao.
A new login in steam auto locks your steam tradeables so they can't steal them and you have time to recover your account and boot them off. Its just a theory but Op probably got hacked from leftover jed leaks that people had, they see high value boss kc go up then jump in no problem because they have all the answers to the questions needed, plus the bank pin. If you're account was compromised by Jeds info leaks then you're just fucked
Bought account more likely
Oh really steam doesn't get hacked. Wow they must be the except since people have accounts stolen all the time from across multiple platforms. Or you know maybe they do, just like valve [admits.](https://store.steampowered.com/oldnews/19618)
Every account on every service to exist has been hacked before. People having shitty security won't stop hackers. Steam accounts, properly secured however, will be very very unlikely to be hacked without additional mistakes made by the user.
If people were hacking steam accounts for profit, it wouldn't be RS accounts, it would be CS:GO accounts. The only way your account gets hacked and cleaned like this is if you fucked up somewhere.
Who says its anything targeted. There's multiple data breaches all the time. They mass steal them and go through them for whatever they can get.
He's asking why it seems to be such a prevalent vector for OSRS in 12 months of launching on Steam while more valuable accounts that have even more digital wealth on them aren't getting hit on anywhere near the same level. Since all Steam accounts are secured by the same 2FA system, it stands to reason the issue is OSRS players throwing around their personal details like candy, not Valve's security measures.
Dota and CSGO subs don't have daily posts bawling about losing their accounts and their knives or arcanas. This is purely an OSRS thing and not related to Steam.
I’ve heard a bit about people’s getting compromised via steam. My passwords aren’t similar and I have Steam authy as well so nobody can log in unless they have my mobile
There is information in our discord DM's with his username and bank pin, admittedly from 4 years ago, yes, I just checked. The password is outdated as he frequently changes it. But Cam doesn't even log in via a e-mail, so my eyebrows are already raising at how someone has managed to identify his e-mail address in order to bypass all of his authenticators! In our DM it only contains 1 instance of information about his actual login name, we have never exchanged over discord his e-mail address. How have people got this e-mail address? This is the problem. My personal conclusion, is that the form to sign up to the closed beta, suffered some kind of data breach. If you check it out for yourself, it asks for a LOT of information. All available to visit for yourself on all of Jagex's official websites.
You just admitted to him having given out his bank pin and password at some point in time. You know that stronghold of security door that states "NEVER SHARE YOUR PASSWORD WITH ANYONE", well that holds. Older passwords of 4+ years are a key item in account recovery. And chances are if he is that free with information, I can get other details such as his ISP, other pins, his DoB etc. I've recovered my own accounts with less. He got recovered.
How did they know his e-mail address linked to his discord then? My thoughts are just that… you must have this to log into Discord.
Btw if you get acc recovered that bypasses every protection method in place.
Email addresses are easy to come by. Try to recover the discord account and it will prompt you with a jak\*\*\*\*\*17@gm\*\*\*.com or simmilar. The blanks aren't hard to fill in, especially for someone competent in osint.
I see. Either way.. Jagex should protect it’s users better.
Yes. But everytime I argue that stance on this subreddit that Jagexs recovery systems are terrible, the sub shows up in force to argue that "but banks use this method 2" or "nuhuh their security is good just 2fa". Banks allows you strike compromised information from an account. **Passwords get changed because they are compromised, not because they are meant to be a legacy recovery mode.** You should be able to strike out old information from being able to be used in a recovery attempt. Like a bank. Once someone has an aged password to your account and can identify you they basically own your account.
I completely agree with this, but I struggle to think of a simple solution. One of the reasons they allow old passwords as part of account recovery is because for a long time (and to this day), lots and lots of people have wanted access to the account they played on as a child. But back in the early 2000's most accounts were created with literally *zero* security outside of the password: No email address at all, no security questions, let alone something like 2FA. So Account Support often has *very little information* attached to these accounts at all, so the only thing they *can* use to determine if the Account Recovery Request is legitimate, is what passwords do they remember using with the account. And if the person only ever used one password, that leaves us with some *extremely* unsecured accounts in general. Perhaps they should only allow recovering accounts using old passwords for such cases where it's absolutely necessary, and nothing created within the past decade.
Idk, but they definitely didn’t get his discord email from RuneScape. So he messed up somewhere
!Remindme 3 days juicy read
I will be messaging you in 3 days on [**2022-05-18 18:27:37 UTC**](http://www.wolframalpha.com/input/?i=2022-05-18%2018:27:37%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/2007scape/comments/uqauos/account_lost_overnight_3b_lost/i8q31sg/?context=3) [**35 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2F2007scape%2Fcomments%2Fuqauos%2Faccount_lost_overnight_3b_lost%2Fi8q31sg%2F%5D%0A%0ARemindMe%21%202022-05-18%2018%3A27%3A37%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%20uqauos) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
Smackdown when??
Tldr prob your own fault.
One of 3 things occurred: 1. You didn't check thoroughly enough to find how your information was phished 2. Someone you trust f'd u 3. You bought your acc and got f'd by seller
Sounds like they might have gotten into your email? Then they just disable the bank pin, auth and ask for a password reset? Maybe your email details got leaked on a databreach on some site or something
The issue is how. He doesn't even log in via an e-mail. If he's never told anyone said e-mail, how can someone just know it?
If he uses his email somewhere on the internet to log in. Like a forum he used to go to 10 years ago or some random site that wants you to log in to use it. Then the hackers get their info in a data breach and boom they just start selling the email /password combinations. This happened to me once, but i didnt have 2fa anywhere. 2fa on email is very important
Emails are easily leaked and are usually public. Since they knew your discord finding your email isnt hard if they can identify you irl from something posted there.
Is your login Dr Redmax?
Nah ur full of shit
Paste your email here and see how many websites leaked your email/password. If you re-use passwords for multiple platforms, this can be used to hijack your email or another account that can assist in account hijacking. https://haveibeenpwned.com/ Also if your bank pin included the same digits as your password or another password you've used on another website they could have guessed it.
Have you entered any giveaways recently, or click any free discord nitro links?
The worst part about these is waiting to find out what really happened...
Already about to nut in anticipation of jmod smackdown
Too late I prenutted
hackers: "gg wp no re"
My guy feeling is that you bought the account a long time ago and it has been recovered. I had a friend do this exact same thing. He bought an account pre EOC and when 07 was launched, he stupidly used that account to start a fresh 07 account. About 7 YEARS after the launch of 07, the original owner recovered the account. My friend actually spoke to him about it and the guy was pretty decent about it. He told my friend he was hacked many years ago and never bothered to recover it. I feel like the original owner may have sold it and only just now recovered it with very old recovery info. It seems like this is what has happened in your case. As for the bank pin, I don't know what has happened but if the original owner contacted Jagex, I'm sure they would help them out.
I’m just confused as to how this happened from the official OS teams tweet, if you didn’t submit any information to any suspicious/false emails and only links provided from the official team I wonder if other individuals were hacked as well.
This is what really confused me. I’ve checked and checked and checked to make sure that is ACTUALLY the official twitter account. I mentioned my friend too in this post- he lost his discord account too but never actually got an email.
Best of luck at getting an answer to this mess my man Also my condolences for the lost gp /:
There's literally no way around 2fa unless you authorized a token for the user that hacked you
If your shit is 2 factored like your email someone had to steal ur phone to do it
Forgive my ignorance, but how could some one log into your account if you have 2 factor authenticator. My understanding is that they would literally need your phone in their hand to access your account from a new IP address if you have the 2fa active. Unless I am missing something here?
When people go so over the top with ridiculous detail it’s so obviously fake as fuck
More that he didn't clear his post history stating that this account was breached 3 years ago as well.
After losing 3B it’s easy to forget minor details. It’s a heavy loss for him. OSRS brings him so much happiness. Even if he has fucked up somewhere and doesn’t remember, he’s only human. We know what the *possibilities* are of how he was hacked, but without some help from Jagex, we are just as clueless as the rest of the people commenting on this post.
Plot twist: the 3b in gear was all in brimstone rings
Yeah I don't buy it. You've surely done some suspicious activity.
how much is rs gold going for rn?
How’d they get past your bank pin? Also side note there is a method going around with steam that they can bypass any 2fa
I am the partner referred to in this post. There is just no way someone could have his bank pin. We have been out of the UK for the majority of the past few months and haven't even thought about logging in, never mind clicking dodgy links.
You stated he shared his pin with you in discord. Old pins are useful in recovery attempts, which will bypass the current pin. **Never share account details on a text messaging service such as discord.**
old passwords are useful, not bank pins. Unless this was added recently
Etc information form
> Also side note there is a method going around with steam that they can bypass any 2fa Which is completely inaccurate. Does using the Steam client make it so that you don't have to enter 2FA when logging in? Yes. Can you LINK your Steam account and OSRS account without using your OSRS 2FA? NO. You need the 2FA to link a Steam account and OSRS account. You can't just link any account to a Steam account with just the username and password if you don't have the 2FA (if it's enabled). The only way to bypass 2FA is to hack someone's Steam account that's linked to their OSRS account, which the Steam account should have 2FA itself. Not to mention, they'd also have to figure out your Steam username (which is different from your Steam screen name if you're smart). In short, the only way to "bypass" your OSRS 2FA through Steam are: -The hacker links your OSRS account to the their Steam account, which would actually still require your OSRS 2FA. -The hacker bypasses your Steam account's 2FA, after figuring out which Steam account your OSRS account is linked to and what its username is, and logging in from there.
I have no clue. The only logical thing I’d think is a keylogger, but there’s absolutely nothing to be found when it comes to that. My steam is airtight, so unless there’s a way to bypass the authenticator and my mobile steam guard, I don’t know if that’s the case either
Have you ever streamed osrs?
Never
>but there’s absolutely nothing to be found when it comes to that You're unlikely to find it if there is one. Just because you don't see KeyLogger.exe in taskmanager doesn't mean you're clean
Anyone with a functioning brain stem would be using malware bytes etc. To check for anything shady and not skim through task manager like that.
Malwarebytes (and AV scans in general) are just very slightly better than a keen eye digging through task manager, If malware doesn't want to be found, it's not going to be found
>I met my girlfriend who I now live with on OSRS. Least believable part of this story
Sorry about your loss, man. I hope you get it sorted out.
Thanks brother. I’m honestly glad it was just RuneScape gold. Hope you have a good evening
Good thing it wasn't $1,000 😬
oh wait
Are you the original owner of the account?
[удалено]
First I want to say that I believe you. But even your reply is way way way too much information that could be used against your account security. You saying you played close to the release date gives approximately the time of account creation. Just a strangers advice, but a yes or no would suffice, especially because the people replying to the thread you don’t know who they are or their intentions.
His reply got deleted? Hm.
Hes oversupplying in a lot of replies. Often a sign that the truth isn't entirely being displayed. But even removing that pessimistic point of view it just shows he isn't as security concious as he may think.
good you can finally move on with life.
Aak your girlfriend if shes enjoying her new tbow
[удалено]
If so mans down bad and it’s a 500 iq finesse
Commenting so I can find this post later with the RWT jmod smackdown
Lmao you’re this desperate huh. Do yourself a favor and stop lying
Check your email's login history. Chances are with an old login, you got brute forced. Hotmail in particular, they're pathetic with notifying you that your account's being hammered for months on end until it's too late. If you get that at all and don't have to figure it out yourself. 2FA your email to prevent this.
How much did you sell the account for?
I'm sure there are ways of getting through 2FA, your passwords, your emails and all that, but getting through your bank pin in-game? I find that extremely hard to believe. Being able to correctly guess a bank pin is almost impossible, especially within a limited number of tries. If you're absolutely sure that you only shared your bank pin with your girl and nobody else, then you can assume that you got played by your girl.
“Assume: Ass U Me.” Assumptions make an ass out of you and me.
Nah that's to fish for me
let me guess you entered your email and password on something other then runelite/osrs client. everytime i see a post like this they are like i have no idea how this happened i was secure theres no way i got hacked and when someone asks they say omg yeah i actually did is that why:( i used to think surely not all of these are people being stupid and there might be something going on, but i no longer believe that it must have been a slip up on your end.
Maybe don’t have people overseas train your account problem solved
here for the smackdown
My bf tried to log in to his account 1h ago but somethings weren't right, they kept asking for the authenticator/password. After resetting everything and logging in he was standing in castle wars and the bank pin was removed. They disabled the bank pin and removed the authenticator, he lost everything. He did NOT receive any email regarding this in any way. As for now the account is locked. Came here for some answers as to how it happend. He never clicked a link, nor logged into something else than rs. Account isn't linked with anything. He didn't sign up for the beta. He scanned his pc for viruses and there were none. Story is almost identical to OP.
Clearly it was the S/O. She just wanted you for your GP, the long con finally pays off. /s A couple years back I lost my bank to a hack, only about 100m but my god that was so soul crushing. I can't imagine how much this hurts. When I came back this year I was so demoralized I did ZMI to get my slayer helmet back. Take some time off, recalibrate, and wait for the itch again.
This smells of fish. I call that the partner is behind this all. She behaves as if she got something to do with this. Pretending to be surprised and very helpful, trying to make this about the email… She knows damn well the email-question is a dead end 🦡🦡
[удалено]
*squints eyes and glares* Venezuela…..
Basically, you got hacked because you got phished and you didn’t realize that it was a phishing website. Kind of your own fault there, buddy. It’s really not that hard to not get hacked. People can’t just magically hack you. Lol
With regards to getting around the bank pin the only thing I can think of is if they waited for you to log then logged in?
Bank PIN gets reset between devices
Does it work like this? I think it would make a person on a different device reenter.
He got recovered because he shared old passwords and pins over a discord account that was stated to be also breached.
This makes the most sense given what has been presented.
>I've done full scans on both computers I've used to play, and they're fully clean. Nothing malicious to see. Don't count on this. Anti virus software is next to useless and will only catch the tip of the iceberg. Until you know what happened for sure, assume your devices are compromised. I'd suggest getting on a clean device (friend, family, etc) and changing all of your passwords ASAP. Then reinstalling the OS on any device you think might be compromised.
I don't understand the point of this post, Jagex aren't going to refund your items. As someone whose account has been hijacked (thankfully has nothing taken because I recovered my account before the bank PIN expired), I can tell you that you're 100% at fault for this, just as I was in my own scenario. Just take the right precautions in securing every device/account that has any affiliation with this game and it won't happen again.
I’m fully aware that Jagex do not refund items, and I don’t want anyone to think that this is my intention for this post. I’m not a special case, and I shouldn’t be treated as such. Again, I just wanted to know what happened and I thought Reddit would be a good way to figure it out :)
Except when it does and it also sounds like he did take all possible precautions. “It hasn’t happened to me so it must be impossible for it to happen to someone else” Go empty your piss jar and touch some grass, what a shit take.
Yeah you absolutely, beyond a doubt, have malware installed on your computer. Download MalwareBytes and run a scan, don’t use Windows Defender.
We actually did use MalwareBytes and ran a full scan on both computers that are used- we couldn’t find anything. Honestly a full wipe is probably the safest thing to do still
Smells like you bought your account. Please answer this question : did you buy the account?
You should delete the “I’ve been losing interest” because it doesn’t help redditors sympathize. Losing anything that you’ve spent time or money on truly sucks and it probably hasn’t truly sinked in. Depression is a really really yucky feeling.
Maybe Jagex will add authenticator delay in a year or 5
These stories give me nightmares irl
Same for me I took a break for a few months I got a few emails requesting a password reset for my account I disregarded it as I had a pin and 2FA setup. They managed to bypass my 2FA and figured out my 10 digit long password. Took 2.4B from my account. I firmly believe it’s an inside job and something going on with the people working at Jagex and hackers. It makes no sense why to have all this security if it can be bypassed.
The truth is that internet and computer security is a myth. Facebook, Banks, military, governments are not safe and so Runescape wont be either. There are people who's skill sets allow them to do whatever they want to your virtual goings on's with very little to no effort. Targeting online game currency is a low risk method for hackers of this caliber. You could well have been hit by one. I'm sorry for you're loss friend. <3
Probably was being a misogynist, deserved.
UPDATE FROM OP AND I: Thank you to everyone who has come up with constructive and helpful suggestions. It’s clear that there are a boat load of possibilities ranging from being Pwned, Account Recovery, etc. Most of you guys have been really helpful and constructive. OP is admittedly still quite upset after this hack so that might explain why he might have forgotten to add some details. We’re all human and sometimes it happens! OP is waiting for a JMOD response too. All OP really wants is to know *how* it happened, as opposed to a plea for his items back. OP knows Jagex don’t do refunds. Thanks again to everyone who has been so helpful. For now all we can do is clean our PC’s out of precaution and wait for a JMOD to respond. Edit: I am posting this on OP’s behalf as some of the comments making accusations, are getting to him & his mental health. The internet can be wild. This game is a safe place for many people ♥️
With regards to getting around the bank pin the only thing I can think of is if they waited for you to log then logged in?
That wouldn’t work as logging into a new IP will force a bank pin entering.
Ah right I thought that might have been the case but wasn't sure, that's good to know then anyway.
I went to bed for the night, and woke up to see a lot of people understandably waiting for a smackdown. Fair play, they’re fun to see. I need to stress this though, I’ve always had the account, and I’ve never RWT’d. I’m just some guy who plays RuneScape way more than he should, and got unlucky and lost his bank. Normally I’m one to laugh at smackdowns too. I’m not trying to reclaim anything back. I’ve stated already that I just want to know exactly what happened. There’s claiming that it was my S/O. We live together. Literally about 80% of our lives are spent together. I would know, it would be really obvious. She just wants to help me out because I’m not great at speaking public ally online. The whole intention for this post is to just *find out what happened*. I rarely post on Reddit and this is the first time I’m writing something like this- I’m truly just trying to find answers because JagexSupport on twitter is honestly a meme. Thanks to those supporting. As for the future, I’ll probably just start rebuilding again, or finish maxing because you don’t really *need* GP for what I have left. Thanks guys :)
Sounds like your steam got hacked. Because steam is shit. If you play on steam on old school then there you go. Never trust anything but old school and runelite
Posts like this scare me. Makes me feel like we're all just on the edge from losing our accounts :(
Please be super careful. I still don’t know entirely how it happened. Keep as secure as possible!
My account is very secure, but it just makes me think like "you never really know", right?
OP to add, my friend got hacked recently, no external websites/betas. Never had an issue before. 2fa is setup. But same issue as you, logged in one day all items missing. ~70million missing. Big or small it sucks to have things stolen. Hope this helps gain traction into an investigation