devtrackers.gg Old School Runescape

[2019] Account Security


Original Post — Direct link

Today i was playing my main IGN: Dhally. Doing tob as i would any other day and all of a sudden i was logged out of my acc. I initially thought to myself, must have been a 6 hour log (nerd thought). Then i read "your account has been locked". I then try to log in again and it says invalid credentials when i am for sure typing username and pass right. I request a pass change and it says email has been sent but i go to check my email and it hasn't arrived. I wait a few minutes and there it is, i follow the instructions and when i go to the link it says request has timed out. After that i try it again and it says i have to wait an hour to request again so i do. Now i'm here because i keep requesting pass changes and the emails aren't coming in at all but when i request them it says acc is 2000-2100 total and never played rs3 which are both true for my acc. Any help would be much appreciated because the support system doesn't help much unless you can sign into your account on the rs website which i cannot. Thanks :)

-Dhally

External link →
over 5 years ago - /u/JagexSween - Direct link

Your account was hijacked back in January, seemingly via the creation email being compromised. The hijacker looks to have set their own email in that time, which is why you aren't getting the recovery emails.

https://support.runescape.com/hc/en-gb/articles/207217595-Hijacked-account

  • Recovery request
  • Enter your login email
  • It'll say an email has been sent. You don't have access to the email, so click "I don't have access to that email address"
  • Submit an Account Recovery form

For more context for the hijacking back in January. You had submitted multiple support tickets (which were immediately deleted) which I assume you were instructed to do by the hijacker. The hijacker had access to the account and read the messages, before deleting them. Within those messages was the password of the account, bank PIN, and tons more info.

over 5 years ago - /u/JagexSween - Direct link

Originally posted by BasicFail

Huh? How was he able to play today, if the hijacker changed the details back in January?

It looks as though he was phished back in January. Believing he was talking to Jagex Support he provided the hijacker with a desired password.

over 5 years ago - /u/JagexSween - Direct link

Originally posted by BasicFail

Thanks, that makes a lot more sense.

One more thing if you don't mind. How do you know that the desired password was the current password?

The reason I ask is because that implies that Jagex stores our passwords in plaintext. I'm hoping that is not the case. Therefore I'm assuming that you've looked at when the password was changed and other available data. Then based on that you came to this conclusion. Correct?

It's just an assumption, I could be wrong. I looked at the context available (phishing ticket replies). We do not have plaintext passwords.

over 5 years ago - /u/JagexLyon - Direct link

Originally posted by BasicFail

Thanks again, saved this comment for future reference. :)

Every now and then there are people claiming that Jagex stores passwords in plaintext or that their database gets leaked. Often in an attempt to blame someone other than themselves when their account got hijacked. Absurd to think, but glad you confirmed its not true.

Jumping in here to provide a clear tech perspective.

Jagex do not store passwords in plaintext. Customer Support, developers and everyone else at Jagex do not have access to your passwords. Access to anything relating to passwords is controlled in line with GDPR, industry standards and common sense. Passwords are secured and protected using modern algorithms and all other functionality that is deemed appropriate by ourselves and the industry.

Seperately no capital letters etc. isn't great, but it is not related in any way nor representative of our security systems currently in place. Which is a common assumption I see made.

Our database of passwords / personal information have also never been leaked / compromised, to my knowledge. If it was, I believe we'd be legally obligated to reveal that information.

← More from Old School Runescape





Recent Old School Runescape Posts

I'll be getting dragon tier with Kandarin...

about 3 hours ago - /u/JagexSarnie

Leagues V Teasers & FAQs - Releasing November 27th

1 day ago -

Reminder: Legacy Java Client - Retirement & Shutdown

1 day ago - /u/JagexSarnie

Mini-reveals: Quality of Life

3 days ago - /u/Mod_Kieren
Get Discord notifications
OSRS Skill Calculators