JagexTwisted

Just to add to this. As you have e-mail access I have gone ahead and secured your account while you take steps to secure it. I have removed the ban also.

I would recommend ensuring that your e-mail and method of authentication are secure and that you are using two-factor wherever possible. I would also recommend you ensure you have no inbox rules set up with whichever e-mail provider you use as hijackers are able to use inbox rules to forward themselves your e-mails.

The same goes for your actual account. When you are able to log into the Runescape website please make sure you remove any connected accounts you do not recognize if there are any.

You could take an extra safe step and virus scan your devices. The above is my personal recommendation.

Out of curiosity, is it a mobile authenticator you use? Is the authenticator tied to some kind of account itself?

I'd recommend making sure that your e-mail and game accounts are both secured with new passwords and two-factor.

As you changed your password though, you should still be able to log into the website and check the messages tab to see why you were banned.

If you believe you weren't in control of the account it'd be worth submitting an appeal here.

https://support.runescape.com/hc/en-gb/articles/115002238729-Appeal-an-offence

This player was using an unauthorized client, by the way.

Either really, but I prefer reports

They do tend to get banned but are quickly replaced as there aren't a metric tonne of requirements on it. I manually banned 500 accounts after seeing this post, so it should look better.

Im David Btw

Banned a fair few accounts from those examples, so it should be better now. I'll continue to look at tweaking it though.

Improving the detection in those specific areas based on the metrics taken from those sample accounts will, however.

Give me your in-game name, I'll take a look at your reports when I have a moment.

Can you provide an in-game name and I/someone will have a look for you?

Even based on the account provided, I would just run through my previous reply and make sure all of the above has been done.

Players never like to hear this, but it's always the players fault if their account is hijacked. It may be that your account was exposed previously as you mentioned, and someone has attached it to some form of social media login to bypass login restrictions.

If you provide an in-game name I can take a look although I would generally only be able to provide advice based on what I see.

If not, I can provide some insight as to what I would look for as an IT professional (not as a Jagex employee).

Regarding your e-mail. If you haven't attached a different e-mail to your account and are referring to changing the password, I would recommend Googling inbox rules for your e-mail provider and check whether there are any e-mail forwarding inbox rules attached to your current or previous e-mail accounts. Some hijackers will create an inbox rule to forward every e-mail in your inbox to their own e-mail address so they are able to submit password reset requests to your ...

99 by afk

Doesn't look incorrect to me

Just depends on what I do with my downtime on a work break really

I've banned quite a lot of them today and will continue to, so it should look better there.

I would be more than happy to have a look if you provide the in-game name of the accounts.

No, he's right. Unless your friend happened to click a phishing e-mail it's likely his e-mail and a similar password were used on a different website and that website/service has had a data breach.

The best practice is to have strong, different passwords attached to every service you use and two-factor enabled on everything that allows two-factor to be enabled.

Hijackers likely do not target specific accounts and more likely gain access to the data made available from database breaches of other services. If they try an e-mail address and are presented with "incorrect password" they know that an account exists and can start trying passwords. They'll likely also start trying to access the e-mail address as they can use that to reset the password.

This is only made more difficult by having strong, unique passwords and two-factor authentication.

Banned

You do know that in that last two years almost myself and Mod Trident have just under 10 million bans attributed to us and we're the newest two people on the team...

Member, non-member, ex-member... I don't really care, I ban if they're rule-breaking.

men are poor

Ban is correct.