Multiple posts on Reddit recently have stated that a large influx of players have received password recovery emails (that they did not request themselves) stating their RSN inside of the email.
No word from Jagex on what has happened, whether it's a database leak or an other error on their side of things.
Please be safe and only reset your password via the RS home Page and NOT by clicking any links in any of the mails!
External link →Based on what I've seen, this seems to only be affecting accounts with usernames only and not emails, hopefully we get an official confirmation on this.
EDIT: Worth editing to mention that in the time since I posted this initially it seems to also impact email login users as well, Jagex have an article up confirming their investigating here as well as /u/JagexJD's comment [here].(https://www.reddit.com/r/runescape/comments/h8i13r/possible_database_leak_at_jagex_stay_safe/fusi3ox/?context=3)
Hi guys - thanks for flagging. We're aware of the reports and are investigating.
EDIT, 18:15 BST:
Hi everyone. We're aware of a number of players receiving password reset emails overnight and are actively investigating the reason behind this at present. If you haven't submitted a password recovery request and have received an reset email from us, we'd ask that you please screenshot the email (subject line and all), and send it to [[email protected]](mailto:[email protected]), so we can use it to help the investigation. We would ask that in sending us your email confirmation, you do not upload screenshots to third-party sites, such as Imgur, for security reasons.
Whilst we're investigating (we don't have a timeframe at present, but we're working hard to make it as quick as possible), we'd like at this stage to assure players that an email and account both secured with two-factor authentication will protect your account the best, no matter what the scenario - you can set this up here.
We'll update you all when the investigation is concluded. Thanks for your cooperation!
There's a PSA on our Support page which we'll update if there are any changes.
Mod JD has already replied and we'd like to keep the messaging consistent.
how about instead of completely ignoring the issue and saying everything is okay np, you take active measures against this blatent issue by maybe considering reworking your account security/recovery systems, as they are very flawed
Edit: nvm you edited your message, glad you guys decided to look into it
My initial message also included lines to indicate that we're investigating but that might not have been extremely clear.
Mod JD has already replied and we'd like to keep the messaging consistent.
You did originally say that our accounts were safe and there was no breach but you appear to have edited your post entirely, any ideas why?
Hi everyone. I've edited my original reply with more information. We'll keep you updated if anything changes!
Can I just forward the email or attach it as plaintext, headers and everything? Or do you really prefer screenshots?
Either is fine, but as long as we can see the subject of the email, too, please!
You did originally say that our accounts were safe and there was no breach but you appear to have edited your post entirely, any ideas why?
It's an ongoing investigation - you can see our latest update in my most recent comment.
Could you make a full reddit post at the very least, or a newspost on the main website. Most people won't be checking a reddit comment.
It's a PSA on the support centre; we'll do a full write-up when the investigation is finished.
Thank you for this comment. I've forwarded the password reset email I received to [email protected], along with a screenshot of the full email just in case forwarding didn't contain all of the required details.
Thank you.
Hi JD, I sent you an email yesterday evening with all the links in plain view, I know you work at Jagex but was this a safe thing to do? My account was locked shortly after - are Jagex locking all accounts who send an email across?
Cheers!
Hey - can you DM me your account name please? We'll take a look.
devtrackers.gg