Original Post — Direct link

Basically title. Password got leaked in a recent hack, someone hit up runescape with it and was able to login, changed my password and then somehow was able to change the registered email address to the account. They changed my email address without having access to the registered email account (they do not have the same passwords and the email request to change email is sitting unread in the inbox, there is only 1 such request.).

How do I know they have been able to change my email address?
I've been trying to get it to send an email to the registered address to reset my password, it has not worked (even though I get the "Check your email!" notification, I think everyone gets that regardless of success).
So either the "hacker" changed the email, or jagex's email system has blocked over 10 of my requests to just send a basic email..

I'm not looking for your smarter than thou comments on cyber security and the lapses of judgement you think I've made.

I'm looking for an actual explanation on how someone without access to my email address has been able to change it without my consent, if this extremely basic system doesn't even work properly, I'll probably just move on to bigger, properly coded pastures

Also, This is a fresh reddit account because I didn't have one. I will remove/delete it again once I get an answer.

External link →
10 months ago - /u/Jagex_Melora - Direct link

Hey there,

Sorry to hear this has happened. Without access to your account, I can't say for sure how the hijackers gained access, but if a hijacker has accessed your account, then the hijack could only be for one of the following reasons:

  • They have significant information about your account which allowed them to recover it and register their own email - (NB upgrading to a Jagex Account will remove the ability to recover your account through the legacy recovery system)
  • They have access to your email
  • You've unwillingly provided your login info + authenticator TOTP (phishing/keylogging by the hijacker)
  • You've willingly provided your login info to someone

Next steps would be:

  • Submit a secured appeal for your account here. If you're unable to do this, the hijacker may have upgraded your account to a Jagex account, so you will need to reach out to us here.
  • Check your email is fully secure and not accessible to another person (I'd suggest 2FA for your email too) I'd also encourage you to review the inbox rules currently in place on your registered email address. If your registered email has been compromised, then a hijacker might have set up 'rules' which will redirect your incoming emails to another email address, meaning you might not be receiving important security information about your account.
  • Be secure with your information and don't use the same password across numerous sites
  • Check your linked third party associations and remove any you do not recognise/secure your own third party associations
  • Check your devices for any malicious software and run regular virus/malware checks
  • Be careful with what links you click and where you're entering your information (more information on how to avoid phishing/scams can be found here)

  • Jagex Support