Original Post — Direct link

[removed]

External link →
almost 6 years ago - /u/Mod_Stevew - Direct link

I'm sorry to hear you've had this experience, the wealth that has been removed is not lost on me and I do genuinely appreciate the impact of this hijacking.

That said, there is significant evidence that you have been lapse with your account security. For a start, there have been web log ins on your account from 9 various different countries going back to at least 2015. These log ins cross over a number of password changes by the account owner, so it's not a simple case of one password being known, even when the owner changes the pass other countries are still logging in. You could be well travelled, or have a habit of using various VPN's on web access only - but I have to say it looks suspicious.

When you were 'hijacked' the 'hijacker' knew your log in and password, they also knew your recovery email address and the password for that and any 2FA you had on the email address. The account wasn't a malicious recovery via Jagex, the hijacker simply knew the details.

Following the hijacking the owner submitted a recovery request at 09:13 on 24 January, and we dealt with it 19 minutes later and the owner and a new email was set by us at 09:32.

The new email that the owner asked to be set to the account in this recovery request, is in itself suspicious, it has been used on 43 other RuneScape accounts, many of which have been hijacked and some of which are linked to the various web log ins I mentioned earlier.

I've asked our security team to review your account and make it more secure if they can, and if you are a genuine victim here then you have my full sympathy. However the facts we can see, the volume of compromised information and the history of the account does indicate that there could be a bit more to this than it may first seem.

On a side note, I've restored your previous character name to the account.

Thanks for reading.

almost 6 years ago - /u/Mod_Stevew - Direct link

Originally posted by FeI0n

This is pure speculation, But the appeal that looks like the owner was probably sent from a reverse proxy. Identical IP as owners + email clearly owned by a hijacker or someone who buys stolen accounts in volume, telling us the owner is likely infected with a rat. Anyone with sense who cared about their account enough to make a reddit post wouldn't be stupid enough to recover it to an email they knew would be scrutinized and they apparently had 43 accounts on in the past.

My bet would be the hacker sends appeals using the victims IP to confirm recovery information before attempting to sell an account.

That is possible, if they also have a lot of info about the account. That is why I used a mixed voice in my comment, and stopped short of blatantly calling it.

almost 6 years ago - /u/Mod_Stevew - Direct link

Originally posted by TheAdamena

Needing to get a bunch of upvotes on Reddit to get an actual response from the support team? Big yikes from me.

Would you prefer we just ignored it? The user did contact support in the recommended way and we dealt with it in 19 minutes.

almost 6 years ago - /u/Mod_Stevew - Direct link

Just to clarify the VPN point - there is no issue at all with people using VPN's, and of course people do go on vacation, relocate for college, move home etc. - I was not trying to imply that these sort of moves cause us any concern.

When reviewing this case, the extensive logs ins from various countries just formed part of my assessment of the history of the account, it was also worth noting that all game play was fairly static, but the country variations only applied to web log ins.

It was a contextual observation, and I probably should have used the word 'unusual' rather then 'suspicious' - apologies if I unnerved any VPN users, sleep easy and 'Scape on, your use of VPN is not a concern :)

almost 6 years ago - /u/Mod_Stevew - Direct link

Originally posted by schlamboozle

or have a habit of using various VPN's on web access only - but I have to say it looks suspicious

This shouldn't be suspicious at all and is deeply concerning as I use a VPN for other things but do log onto my accounts while connected to the VPN. Users like to torrent and stream unseen by their ISP or want protection from ddos if you use 3rd party communication software like Teamspeak.

The new email that the owner asked to be set to the account in this recovery request, is in itself suspicious, it has been used on 43 other RuneScape accounts

Sounds like OP was hijacked by a known hijacker that is overly familiar with jagex security protocols which seems more like a problem for you guys than a suspicion on OP.

EDIT: Since we have some idiots in here. At the end of the day. I don't want my account locked because I'm using a vpn to not be throttled or ddossed.

Just to clarify the VPN point - there is no issue at all with people using VPN's, and of course people do go on vacation, relocate for college, move home etc. - I was not trying to imply that these sort of moves cause us any concern.

When reviewing this case, the extensive logs ins from various countries just formed part of my assessment of the history of the account, it was also worth noting that all game play was fairly static, but the country variations only applied to web log ins.

It was a contextual observation, and I probably should have used the word 'unusual' rather then 'suspicious' - apologies if I unnerved any VPN users, sleep easy and 'Scape on, your use of VPN is not a concern :)