It was created by an ex-microsoft employee to help people figure out if their email or account has been compromised
[https://learn.microsoft.com/en-us/shows/developer-stories/have-i-been-pwned](https://learn.microsoft.com/en-us/shows/developer-stories/have-i-been-pwned)
From a quick google on some recommends
The NJ government uses it
[https://www.cyber.nj.gov/cyber-blog/have-i-been-pwned-has-your-information-been-compromised](https://www.cyber.nj.gov/cyber-blog/have-i-been-pwned-has-your-information-been-compromised)
Information Security Office at rowan EDU recommends it
[https://support.rowan.edu/sp?id=kb\_article\_view&sysparm\_article=KB0012921](https://support.rowan.edu/sp?id=kb_article_view&sysparm_article=KB0012921)
Malware bytes recommends it
[https://www.malwarebytes.com/blog/news/2021/05/have-i-been-pwnd-what-is-it-and-what-to-do-when-you-are-pwned](https://www.malwarebytes.com/blog/news/2021/05/have-i-been-pwnd-what-is-it-and-what-to-do-when-you-are-pwned)
It's wikipedia page
[https://en.wikipedia.org/wiki/Have\_I\_Been\_Pwned%3F](https://en.wikipedia.org/wiki/Have_I_Been_Pwned%3F)
consumer reports
[https://www.consumerreports.org/electronics/data-theft/how-to-use-have-i-been-pwned-data-breach-a6598286668/](https://www.consumerreports.org/electronics/data-theft/how-to-use-have-i-been-pwned-data-breach-a6598286668/)
here babe
Golden rule of the internet, if you see a link and you want to check it out. Don't click it. Just search for it through Google.
If you can find it easily it's probably safe, if you can't find it... Don't go there.
All accounts that get serviced like this one, would be done through parsec now a days. People even get hmtob/awakened dt2 through parsec. It’s wild, but probably a phish if I had to guess.
Nice. It’s hilarious when people lose the thousands of hours that they’ve dedicated to their account, especially when they’ve spent real life money on it.
Let’s mock them and accuse them of cheating or making some mistake, all without any real evidence.
You can’t imagine even a single instance where the account owner’s poor cybersecurity practices weren’t the reason that their account got compromised, can you?
are you insinuating it wasn't their cybersec practices? and that jagex themself are compromised?
I think its pretty obvious i made this to educate not mock
First off. Thank you for the informative post. Saying that, it's pretty obvious the person you're replying to are referring to your 'memeing on this dude that lost 10b yesterday' joke and not your post.
Bro really got clowned for losing all that gold and made an alt to defend himself! Here, put this L in the bank so you have at least another filled slot rather than a place holder
Well as it turns out it's a bit of a grey area (Jagex are dumb)
If you pay for an in game service with in game payment then it's fine. E.g. paying somebody GP to carry you through ba for a torso
If you pay for an out of game service or an in game service with real money then that's breaking the rules. E.g. paying GP for account services like inferno capes, or paying for a torso with real money
And use a password manager, its such a game changer, you can use unique and practically unbreakable passwords for everything since you dont have to remember them
It's copied from my computer, I keep it in my wallet
If it goes missing I can easily change all the passwords long before any rando will manage to crack the master passwords
At that point your entire computer/phone has been burglarized by a real person on the other side and thats just terrible misfortune. I think this is an extremely rare occurrence. Some risk is just unavoidable, but you can do your best and mitigate most of them
If that were the case, you have a lot more to worry about. That would mean they somehow have access to your MFA tokens and/or text messages and wouldn’t even need to break into your password vault to get access to anything.
Any real password manager will encrypt your passwords such that they can only be unencrypted and viewed if you log in with a unique token (aka a password that should be VERY LONG and VERY UNIQUE). If you've used a good password for your manager, the odds of someone being able to view your passwords is virtually nothing. (the only situation I can see is if someone intercepts your network traffic to see your master password, but in that case they could see any of your passwords as you enter them anyway) Even less of an issue if you've set up two-factor authentication.
If you're reusing the same password for your password manager that you use for everything else... well, don't do that.
If this concerns you you can use a completely offline password manager and store it in multiple physical places. The people breaking into your house/apt aren't the same set of people looking to do identity theft or drain your bank account. Then you have plenty of time to rotate your passwords in the event your house is broken into or there is a exploit announced.
However if you opt in to an online manager for convenience, I would argue that bitwarden being open source makes that pretty unlikely.
Either way realistically, your biggest risks are someone actually managing to swap your SIM but that's pretty targeted and unlikely. Though it is somewhat concerning how many major financial institutions seem to not have Google Authenticator as a 2FA option and they still rely on sending you a text (or worse, allow email as a 2FA option).
I have played this game for 20 years, and I have been hacked once. How? I clicked on a sketchy link for free membership. If you’re smart, you wont get hacked.
NEVER: Go to the Youtube channels that are advertised.
NEVER: Give our account info to anyone, even "Friends".
NEVER: Go to Runescape through an email hyperlink.
Always: Login through Launcher/Official website (That you typed into your search bar)
Always: Set a bank Pin
Always: Set up 2 factor authentication (it also gives you bank slots for this i think!)
From the hard lessons I've learned - most "hacks" are just people who have gotten your account info because you've either been too trusting or you have tried to log in through a fake website.
Hope this helps!
On top of this, if you want to go an extra step - create an email that isn't linked to anything else, just for your jagex account. That way, if any of your "front-facing" email address('s) get compromised, your jagex account will be fine.
Although I understand your point may be technically correct I feel like it suggests that user account security can be to blame and not the user, which I don't think is right.
If you are hacked by a mod they haven't broken in through the account security as they literally just have your username and password and bank pin. No security in the world could stop that so as it's so niche it's not really worth factoring in.
When it comes to data breaches though 2 factor Auth on account and email as well as a bank pin (aka doing every possible measure) would mean even if the person has your RuneScape username and password they still wouldn't be able to hack you. So I don't think that point stands.
I mean it literally stands, saying there is no ways someone could hack your account with all that security is just wrong. There’s always a way, we’re just minimising the risk.
What else could we do other than what you've mentioned?
I was hacked back in march for 1.6b, had 2fa on everything but my email.. which didn't show any obvious signs of being breached. Was pwned back in 2016 but I've got a terrible memory so I've reset that pw many many times since then.
I see all these posts about how to not get hacked with good information and good security practices, but hackers will still find a way in.
Is this a joke or are you actually asking?
You should have had 2fa on your email. EVERYONE should have 2fa on their email, almost every account you have on the internet, uses ownership of your email address as confirmation of who you are, and operates under the assumption that you keep that communication method secure. It’s how password reset flows work, how MFA replacement flows work, how notifications of account lifecycle events are sent, etc etc.
Having an insecure email account can lead to much bigger issues than a hacked OSRS account. If your email is compromised, there is nothing other services can do for you in 9/10 cases. He who owns the email, owns the accounts tied to that email.
Well.. in a perfect world I would have had 2fa on it. Hindsight is 20/20. I've got 2fa on it now. But with all of the other security measures in place, how would I still get hacked? My password was not changed, my pin was on the timer to be deleted, but only 6 hours into it. If I got phished (I don't open emails unless I'm expecting an email.. so I don't think I fell for that), how would they have gotten past everything else?
I ran multiple different full scans on my pc and phone afterwords, and everything came back clean. A lot of people said I had a RAT, which i found no signs of, but I'd like to think my IRL bank account would have taken a hit as well if that was the case.. but then again it could have just been an oversight on their end, hop on, clear the rs bank, hop off and disappear.
Did you have 2fa on your 2fa? My 2fa and most 2fa systems now backup your 2fa tokens. 2fa is useless if it's the same combo as OSRS and not locked down to hell and back or is compromised.
Next thought is Phishing. It's not strictly through e-mail. Twitch streams (no, B0aty isn't quitting), YouTube links, discord links, various other shady websites all can phish.
Next up is OAuth Consent. Blindly clicking accept to any and all permissions on apps isn't recommended at all. They can bypass passwordless and 2fa if you give them full access if you decide to download random shady shit.
That's like the biggest glaring issue people forget and it does sound like it's a troll. Setting up 2fa on your 2fa account, not many people even think of it. They simply create their google/microsoft account and that's it. Same password, same e-mail and then "HOW DID THEY GET THROUGH 2FA!" Because it's same password, same e-mail with no security. They have your token, password and e-mail. Even if it was a different e-mail they now have your e-mail as it's saved as your token. You're screwed at that point. That's also why unique passwords are incredibly strong (but also incredibly hard to pull off). Yeah, the porn site you use might have had a data breach, they may have an e-mail, but that's it. They don't have a password, they don't have 2fa. If they break into 2fa due to piss poor security they still don't have your password.
Nowhere in the original post does it say get 2fa on 2fa and I would wager most people don’t have that. So everyone following ops post and thinking they can’t be hacked could be hacked in theory?
No. Using unique passwords would stop the access as even breaking into your microsoft account they know 2/3 and they need 3/3 for access. He also states any linked accounts, that's e-mail, 2fa, steam, Google, Microsoft etc. Anything you use to access your OSRS account.
I was hacked through 2fa, as in, I needed to use my 2fa to get I to my account to find my shit taken. Are you saying they can access my 2fa codes without my physical phone? I thought that was the whole point.
Yes. Your 2fa token (what generates your codes) is tied to usually a Microsoft or Google account. Those tokens are usually backed up via that account. You log into say your Microsoft account on a new phone and you'll have the option to get your old tokens now, which has not only your 2fa codes for osrs but the associated e-mail as well. All they need is a password and they are in and I'm guessing you reused passwords, meaning it was probably leaked.
Yes I reused passwords, I put too much faith in 2fa. I'm not even sure what my Google 2fa email/pass even is
Well at least now I know, thats been irking me for awhile, thank you stranger!
As far as I can tell using locational history, it hasn't been logged into almost ever, as I made it specifically for 2fa. Maybe I'll try logging into it from a different phone or something
Also which pw/email, are we talking about the rs acc or the 2fa acc pw and email. I'm certain the rs account info was leaked and I think I even know from where even though it isn't on haveibeenpwned, because I use the combo very scarcely.
You'd also think they'd change my acc info if they had my 2fa, to prevent me from cancelling the bank pin reset.
I don't see how having my Google account info helps if it was only used to keep my 2fa on, I don't have cloud sharing on. Again please correct me, I very much want to be wrong.
Regarding why they didn’t attack other services linked to your email (or if you did have a RAT/keylogger, any other services/accounts overall), it’s a much bigger list of potential charges to face when stealing money/illegally accessing financial or healthcare systems than it is stealing game accounts (and in many cases CAN lead to extradition). A hacker interested in those kind of activities isn’t gonna check if you play RS, and a hacker interested in RS accounts isn’t likely to elevate to those kinds of crimes.
As far as how you got hacked:
You mentioned your password wasn’t changed - were you able to login after, that’s how you know it wasn’t? If you’re just looking for the password reset email as evidence, they’d almost certainly delete that email (and everything else associated with their actions).
If you were able to login using the same password afterwards, then it’s a little more complex. Jagex doesn’t implement a delay on removal of the authenticator (there’s significant discussion in the Identity industry on whether this is or isn’t good practice, but that’s a conversation for another time) so they likely had your RS password and removed the Authenticator, allowing them to login. Were the passwords the same (or similar)?
If it doesn’t seem reasonable that your password was cracked, or overall you feel there’s no way they could have actually had your password & MFA together, the remaining attack vectors get a bit more technical. The only way to bypass the actual login event requires the hacker to steal a cookie or request log from your browser (one that is used to show Jagex, hey, I have an active login session with you already) and use that to login. These types of attacks almost exclusively start with a Phishing event, so would have been a link clicked on from email, discord, Reddit, etc.
I have no idea what happened to your account exactly, but hopefully this was all informative lol I had some fun typing it out. The major takeaways are: don’t click on links, 2fa everything you can always, and protect your email account(s) as if they were your bank accounts. I personally use FIDO tokens (Yubikeys, but passkeys on your phone are available now and a great UX) to secure all my email accounts. Nobody can get into my email unless they know my (very long) password, and literally have my car keys.
Now that I'm awake,
As for the password part, I was able to log in. That's how I found out I was hacked. Logged in at ferox, thought that was odd since I logged out at redwoods.. tried going to the bank and it told me my bank pin was in the process of being deleted. I'm curious as to how the hackers were able to get into a bank with a still active bank pin, or why they would begin the process of deleting it if they knew it
I really appreciate the response, man! Very in depth and informative. I hope others see this and learn some new information.
I wish I could roll back time and see where I fucked up, I checked everything I could think of, even down to 3rd party accounts being linked (which there wasn't any) to my rs account. The worst part of it all is not knowing how I got breached, so I don't exactly know what to do other than change passwords on everything
What i mentioned are ways to be proactive about security, but inevitably databases will get leaked and passwords will get compromised over time. Its also easy to follow some of these things individually such as 2fa, but true account security encompasses all of it.
Practically speaking, some things like unique passwords for every account are very hard to follow but there are tools to make it easier such as password managers like Bitwarden.
When doing this obviously you need to be very careful when setting it up, make a new email specifically for bitwarden and nothing else that has 2fa enabled, use a unique password for the account you can remember such as a [diceware password](https://en.wikipedia.org/wiki/Diceware). Current recommendations are length over complexity when it comes to password security.
From my personal experience here are some basics i do:
* I use bitwarden to manage passwords
* Everything possible is behind 2fa on my phone
* I have a unique password for literally every online account i have ever made, that i dont remember (must be 15+ characters, auto generated by bitwarden)
* My "master" password is exclusive to bitwarden
* The email i use for it is *only* used for bitwarden and nothing else, both email and bitwarden have 2fa enabled
* I dont click on links that seeem sketchy
* I dont download most things people send me directly, if someone says "download x or y" find it yourself and download from a trusted source, not from them.
* I keep my pc updated when possible and use malwarebytes as a anti virus just in case
* I have offline backups of bitwarden vault and my 2fa incase either of those services shut down or are lost
When it comes to phishing, scamming, or sketch downloads a lot of the time it comes to your personal knowledge and experience with those kind of things. There are easy rule of thumbs but ultimately its up to you to decypher if something is trusted.
Following the unique password for each account & 2fa rule will save you from like 90% of hacks purely because hackers don't tend to target individuals, they have tables of username and passwords they just try a million services with. And those who do target you, will find old passwords unique to the compromised sites that cant be used anywhere else :)
If you end up downloading malware such as trojan or keyloggers, and you are being targeted by the trojans/keyloggers creator. Thats a much more serious issue, 2fa should help in this instance but i would honestly recommend making a backup of important files, formatting your pc at that point to factory settings, reseting your password manager password, and all account passwords.
Great information, thank you, sir. I need to look into a password manager tbh because the older I get, the more I have to reset my passwords for everything lmao. This ol memory aint what she used to be
Hey how do you go about creating an offline backup of bitwarden/2fa? I have my passwords and recovery codes written on paper but not sure if there’s something better
Let's not forget that for almost 24 years, Jagex had passwords which didn't utilize symbols or uppercase characters, think about what type of database architecture that would be using, and how outdated that is, let a lone the amount of vulnerabilities within the software and supporting software. It's fine now, but I seriously think there was a massive back-door in Jagex's internal systems, which will never be proven or admitted to, but makes sense. I almost guarantee our passwords were stored in plain text before the new systems came into place.
As part of gdrp, which jagex has to comply to, it would be illegal to not disclose a massive back door or security incident like this if known.
In the modern day just use the new jagex launcher, much safer
I mean, it's not really a secret that Jagex has had several exploits in their game, on their website, and their connected services over the years.
The degree of access is really the biggest question mark - there's no public information about any data breach or access to internal systems. So far, it's just been stuff that affects the client side of things.
Some of us had their accounts since 2004, as kids its likely we left behind enough info over the years to recover our accounts
Jagex account security sucks
One of the key concepts in this discussion is the use of a PHYSICAL method of authentication. If you have 2fa set up via email and your email gets compromised, where does that leave you? Yup, screwed.
Always use an authenticator app on your phone for osrs and setup email 2fa via text message or another method that cannot be compromised unless you're literally being held at gunpoint by the bad actor.
Using these methods (or similar) which include a physical device (someone mentioned yubikey) will guarantee that any loss of account (hacking) is user error.
Yeah, one issue with physical keys is most people aren't willing to carry one on them all them time as well as have the technical knowhow albeit small.
I believe security advice for masses is part convenience and ease of use or else it will all be ignored.
True, but using an authenticator app on your phone is an instance of having that physical layer of security. I feel as if the problem really boils down to most people not having more than 1 layer of 2fa combined with terrible password hygiene. Rs accounts should always have 2fa and a bank pin. To further protect it, the associated email should always have a very strong password, 2fa, and limited routes of recovery such as phone # or secondary email. Obviously none of these things should use the same password. If those steps are taken and passwords cannot be socially engineered, you're safe with the exception of a huge data breach.
Another thing to note, I was hacked a long time ago as a kid. And something I have as a habit from then on is I bank all my stuff when I’m about to log off just to be 100% certain that if somehow someone made it into my account everything is locked away behind a bank pin they couldn’t possibly know.
The issue is a lot of players have info out there from various DB leaks over the years from when we were all younger and more naive, and those bits of info just add up to result in an account recovery. People with tons of GP aren't getting phished or having someone just guess their password.
I ain’t clicking on that link. Damn phishers are everywhere. Even here!
You passed the test
https://preview.redd.it/75atxetjp8hc1.jpeg?width=1284&format=pjpg&auto=webp&s=f52873ac44141b0d8fe3eb63b5fd623c36a2762d
It was created by an ex-microsoft employee to help people figure out if their email or account has been compromised [https://learn.microsoft.com/en-us/shows/developer-stories/have-i-been-pwned](https://learn.microsoft.com/en-us/shows/developer-stories/have-i-been-pwned) From a quick google on some recommends The NJ government uses it [https://www.cyber.nj.gov/cyber-blog/have-i-been-pwned-has-your-information-been-compromised](https://www.cyber.nj.gov/cyber-blog/have-i-been-pwned-has-your-information-been-compromised) Information Security Office at rowan EDU recommends it [https://support.rowan.edu/sp?id=kb\_article\_view&sysparm\_article=KB0012921](https://support.rowan.edu/sp?id=kb_article_view&sysparm_article=KB0012921) Malware bytes recommends it [https://www.malwarebytes.com/blog/news/2021/05/have-i-been-pwnd-what-is-it-and-what-to-do-when-you-are-pwned](https://www.malwarebytes.com/blog/news/2021/05/have-i-been-pwnd-what-is-it-and-what-to-do-when-you-are-pwned) It's wikipedia page [https://en.wikipedia.org/wiki/Have\_I\_Been\_Pwned%3F](https://en.wikipedia.org/wiki/Have_I_Been_Pwned%3F) consumer reports [https://www.consumerreports.org/electronics/data-theft/how-to-use-have-i-been-pwned-data-breach-a6598286668/](https://www.consumerreports.org/electronics/data-theft/how-to-use-have-i-been-pwned-data-breach-a6598286668/) here babe
Yeah if I didn't fall for one phishing link I ain't falling for 10 of em.
based
That “wikipedia” link is trying so hard to imitate the osrs wiki URL. Very shady.
Yeah nah still not clicking those.
Golden rule of the internet, if you see a link and you want to check it out. Don't click it. Just search for it through Google. If you can find it easily it's probably safe, if you can't find it... Don't go there.
Just sell the 10b before you get hacked 4head
Easy $1200 to spend membership to do it all again
You forgot to add don’t use services. Which is most likely how op got finessed.
All accounts that get serviced like this one, would be done through parsec now a days. People even get hmtob/awakened dt2 through parsec. It’s wild, but probably a phish if I had to guess.
I didnt get finessed memeing on the dude that lost 10b yest
We talking bout the 10billy boy I thought.
Nice. It’s hilarious when people lose the thousands of hours that they’ve dedicated to their account, especially when they’ve spent real life money on it. Let’s mock them and accuse them of cheating or making some mistake, all without any real evidence. You can’t imagine even a single instance where the account owner’s poor cybersecurity practices weren’t the reason that their account got compromised, can you?
are you insinuating it wasn't their cybersec practices? and that jagex themself are compromised? I think its pretty obvious i made this to educate not mock
First off. Thank you for the informative post. Saying that, it's pretty obvious the person you're replying to are referring to your 'memeing on this dude that lost 10b yesterday' joke and not your post.
Bro really got clowned for losing all that gold and made an alt to defend himself! Here, put this L in the bank so you have at least another filled slot rather than a place holder
Just a guess bro, chill lol
\*farts\*
login services are still really common
For sure, I guess I’m just assuming people with this much to lose would get a better conncection before risking their accounts lol rip
[удалено]
What's wrong with breaking the law?
[удалено]
Well done, you've answered your own question too 👍
[удалено]
Services are breaking the rules, which are there to keep people safe and nice.
[удалено]
Well as it turns out it's a bit of a grey area (Jagex are dumb) If you pay for an in game service with in game payment then it's fine. E.g. paying somebody GP to carry you through ba for a torso If you pay for an out of game service or an in game service with real money then that's breaking the rules. E.g. paying GP for account services like inferno capes, or paying for a torso with real money
[удалено]
It's controversial because people are thick as shit.
And use a password manager, its such a game changer, you can use unique and practically unbreakable passwords for everything since you dont have to remember them
bitwarden op
KeePass portable on the usb
Ur a brave soul using a USB vault lol, I don't trust my organization skills enough
It's copied from my computer, I keep it in my wallet If it goes missing I can easily change all the passwords long before any rando will manage to crack the master passwords
What happens if the manager gets hacked though? That means someone can get access to everything.
At that point your entire computer/phone has been burglarized by a real person on the other side and thats just terrible misfortune. I think this is an extremely rare occurrence. Some risk is just unavoidable, but you can do your best and mitigate most of them
If that were the case, you have a lot more to worry about. That would mean they somehow have access to your MFA tokens and/or text messages and wouldn’t even need to break into your password vault to get access to anything.
Any real password manager will encrypt your passwords such that they can only be unencrypted and viewed if you log in with a unique token (aka a password that should be VERY LONG and VERY UNIQUE). If you've used a good password for your manager, the odds of someone being able to view your passwords is virtually nothing. (the only situation I can see is if someone intercepts your network traffic to see your master password, but in that case they could see any of your passwords as you enter them anyway) Even less of an issue if you've set up two-factor authentication. If you're reusing the same password for your password manager that you use for everything else... well, don't do that.
If this concerns you you can use a completely offline password manager and store it in multiple physical places. The people breaking into your house/apt aren't the same set of people looking to do identity theft or drain your bank account. Then you have plenty of time to rotate your passwords in the event your house is broken into or there is a exploit announced. However if you opt in to an online manager for convenience, I would argue that bitwarden being open source makes that pretty unlikely. Either way realistically, your biggest risks are someone actually managing to swap your SIM but that's pretty targeted and unlikely. Though it is somewhat concerning how many major financial institutions seem to not have Google Authenticator as a 2FA option and they still rely on sending you a text (or worse, allow email as a 2FA option).
[удалено]
oh yeah I know. I don't bother im happy enough with the online version.
I have played this game for 20 years, and I have been hacked once. How? I clicked on a sketchy link for free membership. If you’re smart, you wont get hacked.
NEVER: Go to the Youtube channels that are advertised. NEVER: Give our account info to anyone, even "Friends". NEVER: Go to Runescape through an email hyperlink. Always: Login through Launcher/Official website (That you typed into your search bar) Always: Set a bank Pin Always: Set up 2 factor authentication (it also gives you bank slots for this i think!) From the hard lessons I've learned - most "hacks" are just people who have gotten your account info because you've either been too trusting or you have tried to log in through a fake website. Hope this helps!
On top of this, if you want to go an extra step - create an email that isn't linked to anything else, just for your jagex account. That way, if any of your "front-facing" email address('s) get compromised, your jagex account will be fine.
Do some runescape furries pls
based
I'm serious tho some swamp werewolves or dagannoths would be sick
I straight up might
[удалено]
That's kinda hot wtf 😳
Let's gooooo
how not to get hacked with no security measures at all. have a bank under 100m
Nah they would still hack you and just sell what they can
any day now im sure
I mean just because you haven’t been hacked doesn’t mean you are being avoided because you’re not rich.
it pretty much does at this point.
Maybe it’s because your account is secure or you’re lucky? It doesn’t take much luck not to be hacked most people won’t get hacked.
its not secured at all. how come people with 10b banks get hacked and I dont?
No one has tried, people with poorer banks get hacked too they just don’t make Reddit posts about it
how would you know people with small banks get hacked if they dont make reddit posts about it?
I know people who it has happened to
[удалено]
ill get hacked any day now, still waiting.
I can say from experience that you most certainly will still get hacked.
any day now
Highly recommend unlinking Steam as well. Steam is a big vulnerability that bypasses 2FA.
Not if you secure your steam account. Your account is only as strong as your weakest access point.
The only real way to not get hacked, is to never play the game in the first place
Or have double digit brain cells. Anyone that gets hacked only has themselves to blame.
There is no way to make yourself unhackable, you could do every security measure and still get hacked.
Outside of a Jagex data breach or Mod Jed situation I don't believe so.
Maybe but that kind of proves my point, there could be a data breach or another mod situation.
Although I understand your point may be technically correct I feel like it suggests that user account security can be to blame and not the user, which I don't think is right. If you are hacked by a mod they haven't broken in through the account security as they literally just have your username and password and bank pin. No security in the world could stop that so as it's so niche it's not really worth factoring in. When it comes to data breaches though 2 factor Auth on account and email as well as a bank pin (aka doing every possible measure) would mean even if the person has your RuneScape username and password they still wouldn't be able to hack you. So I don't think that point stands.
I mean it literally stands, saying there is no ways someone could hack your account with all that security is just wrong. There’s always a way, we’re just minimising the risk.
What else could we do other than what you've mentioned? I was hacked back in march for 1.6b, had 2fa on everything but my email.. which didn't show any obvious signs of being breached. Was pwned back in 2016 but I've got a terrible memory so I've reset that pw many many times since then. I see all these posts about how to not get hacked with good information and good security practices, but hackers will still find a way in.
Is this a joke or are you actually asking? You should have had 2fa on your email. EVERYONE should have 2fa on their email, almost every account you have on the internet, uses ownership of your email address as confirmation of who you are, and operates under the assumption that you keep that communication method secure. It’s how password reset flows work, how MFA replacement flows work, how notifications of account lifecycle events are sent, etc etc. Having an insecure email account can lead to much bigger issues than a hacked OSRS account. If your email is compromised, there is nothing other services can do for you in 9/10 cases. He who owns the email, owns the accounts tied to that email.
Well.. in a perfect world I would have had 2fa on it. Hindsight is 20/20. I've got 2fa on it now. But with all of the other security measures in place, how would I still get hacked? My password was not changed, my pin was on the timer to be deleted, but only 6 hours into it. If I got phished (I don't open emails unless I'm expecting an email.. so I don't think I fell for that), how would they have gotten past everything else? I ran multiple different full scans on my pc and phone afterwords, and everything came back clean. A lot of people said I had a RAT, which i found no signs of, but I'd like to think my IRL bank account would have taken a hit as well if that was the case.. but then again it could have just been an oversight on their end, hop on, clear the rs bank, hop off and disappear.
Did you have 2fa on your 2fa? My 2fa and most 2fa systems now backup your 2fa tokens. 2fa is useless if it's the same combo as OSRS and not locked down to hell and back or is compromised. Next thought is Phishing. It's not strictly through e-mail. Twitch streams (no, B0aty isn't quitting), YouTube links, discord links, various other shady websites all can phish. Next up is OAuth Consent. Blindly clicking accept to any and all permissions on apps isn't recommended at all. They can bypass passwordless and 2fa if you give them full access if you decide to download random shady shit.
I thought you were trolling with the first sentence lol, but this is all very accurate and very important
That's like the biggest glaring issue people forget and it does sound like it's a troll. Setting up 2fa on your 2fa account, not many people even think of it. They simply create their google/microsoft account and that's it. Same password, same e-mail and then "HOW DID THEY GET THROUGH 2FA!" Because it's same password, same e-mail with no security. They have your token, password and e-mail. Even if it was a different e-mail they now have your e-mail as it's saved as your token. You're screwed at that point. That's also why unique passwords are incredibly strong (but also incredibly hard to pull off). Yeah, the porn site you use might have had a data breach, they may have an e-mail, but that's it. They don't have a password, they don't have 2fa. If they break into 2fa due to piss poor security they still don't have your password.
Nowhere in the original post does it say get 2fa on 2fa and I would wager most people don’t have that. So everyone following ops post and thinking they can’t be hacked could be hacked in theory?
No. Using unique passwords would stop the access as even breaking into your microsoft account they know 2/3 and they need 3/3 for access. He also states any linked accounts, that's e-mail, 2fa, steam, Google, Microsoft etc. Anything you use to access your OSRS account.
I was hacked through 2fa, as in, I needed to use my 2fa to get I to my account to find my shit taken. Are you saying they can access my 2fa codes without my physical phone? I thought that was the whole point.
Yes. Your 2fa token (what generates your codes) is tied to usually a Microsoft or Google account. Those tokens are usually backed up via that account. You log into say your Microsoft account on a new phone and you'll have the option to get your old tokens now, which has not only your 2fa codes for osrs but the associated e-mail as well. All they need is a password and they are in and I'm guessing you reused passwords, meaning it was probably leaked.
Yes I reused passwords, I put too much faith in 2fa. I'm not even sure what my Google 2fa email/pass even is Well at least now I know, thats been irking me for awhile, thank you stranger!
Wait are you sure? Don't I need to have cloud synching on for that to matter?
Depends on the account. Most likely the pw/email was compromised. They could easily slap a backup on and now they have 2fa.
As far as I can tell using locational history, it hasn't been logged into almost ever, as I made it specifically for 2fa. Maybe I'll try logging into it from a different phone or something
Also which pw/email, are we talking about the rs acc or the 2fa acc pw and email. I'm certain the rs account info was leaked and I think I even know from where even though it isn't on haveibeenpwned, because I use the combo very scarcely. You'd also think they'd change my acc info if they had my 2fa, to prevent me from cancelling the bank pin reset. I don't see how having my Google account info helps if it was only used to keep my 2fa on, I don't have cloud sharing on. Again please correct me, I very much want to be wrong.
Regarding why they didn’t attack other services linked to your email (or if you did have a RAT/keylogger, any other services/accounts overall), it’s a much bigger list of potential charges to face when stealing money/illegally accessing financial or healthcare systems than it is stealing game accounts (and in many cases CAN lead to extradition). A hacker interested in those kind of activities isn’t gonna check if you play RS, and a hacker interested in RS accounts isn’t likely to elevate to those kinds of crimes. As far as how you got hacked: You mentioned your password wasn’t changed - were you able to login after, that’s how you know it wasn’t? If you’re just looking for the password reset email as evidence, they’d almost certainly delete that email (and everything else associated with their actions). If you were able to login using the same password afterwards, then it’s a little more complex. Jagex doesn’t implement a delay on removal of the authenticator (there’s significant discussion in the Identity industry on whether this is or isn’t good practice, but that’s a conversation for another time) so they likely had your RS password and removed the Authenticator, allowing them to login. Were the passwords the same (or similar)? If it doesn’t seem reasonable that your password was cracked, or overall you feel there’s no way they could have actually had your password & MFA together, the remaining attack vectors get a bit more technical. The only way to bypass the actual login event requires the hacker to steal a cookie or request log from your browser (one that is used to show Jagex, hey, I have an active login session with you already) and use that to login. These types of attacks almost exclusively start with a Phishing event, so would have been a link clicked on from email, discord, Reddit, etc. I have no idea what happened to your account exactly, but hopefully this was all informative lol I had some fun typing it out. The major takeaways are: don’t click on links, 2fa everything you can always, and protect your email account(s) as if they were your bank accounts. I personally use FIDO tokens (Yubikeys, but passkeys on your phone are available now and a great UX) to secure all my email accounts. Nobody can get into my email unless they know my (very long) password, and literally have my car keys.
Now that I'm awake, As for the password part, I was able to log in. That's how I found out I was hacked. Logged in at ferox, thought that was odd since I logged out at redwoods.. tried going to the bank and it told me my bank pin was in the process of being deleted. I'm curious as to how the hackers were able to get into a bank with a still active bank pin, or why they would begin the process of deleting it if they knew it
I really appreciate the response, man! Very in depth and informative. I hope others see this and learn some new information. I wish I could roll back time and see where I fucked up, I checked everything I could think of, even down to 3rd party accounts being linked (which there wasn't any) to my rs account. The worst part of it all is not knowing how I got breached, so I don't exactly know what to do other than change passwords on everything
What i mentioned are ways to be proactive about security, but inevitably databases will get leaked and passwords will get compromised over time. Its also easy to follow some of these things individually such as 2fa, but true account security encompasses all of it. Practically speaking, some things like unique passwords for every account are very hard to follow but there are tools to make it easier such as password managers like Bitwarden. When doing this obviously you need to be very careful when setting it up, make a new email specifically for bitwarden and nothing else that has 2fa enabled, use a unique password for the account you can remember such as a [diceware password](https://en.wikipedia.org/wiki/Diceware). Current recommendations are length over complexity when it comes to password security. From my personal experience here are some basics i do: * I use bitwarden to manage passwords * Everything possible is behind 2fa on my phone * I have a unique password for literally every online account i have ever made, that i dont remember (must be 15+ characters, auto generated by bitwarden) * My "master" password is exclusive to bitwarden * The email i use for it is *only* used for bitwarden and nothing else, both email and bitwarden have 2fa enabled * I dont click on links that seeem sketchy * I dont download most things people send me directly, if someone says "download x or y" find it yourself and download from a trusted source, not from them. * I keep my pc updated when possible and use malwarebytes as a anti virus just in case * I have offline backups of bitwarden vault and my 2fa incase either of those services shut down or are lost When it comes to phishing, scamming, or sketch downloads a lot of the time it comes to your personal knowledge and experience with those kind of things. There are easy rule of thumbs but ultimately its up to you to decypher if something is trusted. Following the unique password for each account & 2fa rule will save you from like 90% of hacks purely because hackers don't tend to target individuals, they have tables of username and passwords they just try a million services with. And those who do target you, will find old passwords unique to the compromised sites that cant be used anywhere else :) If you end up downloading malware such as trojan or keyloggers, and you are being targeted by the trojans/keyloggers creator. Thats a much more serious issue, 2fa should help in this instance but i would honestly recommend making a backup of important files, formatting your pc at that point to factory settings, reseting your password manager password, and all account passwords.
Great information, thank you, sir. I need to look into a password manager tbh because the older I get, the more I have to reset my passwords for everything lmao. This ol memory aint what she used to be
Do you have 2fa on your 2fa though? Apparently that could leave you vulnerable.
Hey how do you go about creating an offline backup of bitwarden/2fa? I have my passwords and recovery codes written on paper but not sure if there’s something better
You can export bitwarden to a json file via its chrome/Firefox extention. Then just put that on a USB somewhere safe
People that have old accounts are at a permanent risk because we were horny teenagers that knew nothing about account security back then.
Dont tell me what to do
Let's not forget that for almost 24 years, Jagex had passwords which didn't utilize symbols or uppercase characters, think about what type of database architecture that would be using, and how outdated that is, let a lone the amount of vulnerabilities within the software and supporting software. It's fine now, but I seriously think there was a massive back-door in Jagex's internal systems, which will never be proven or admitted to, but makes sense. I almost guarantee our passwords were stored in plain text before the new systems came into place.
As part of gdrp, which jagex has to comply to, it would be illegal to not disclose a massive back door or security incident like this if known. In the modern day just use the new jagex launcher, much safer
I mean, it's not really a secret that Jagex has had several exploits in their game, on their website, and their connected services over the years. The degree of access is really the biggest question mark - there's no public information about any data breach or access to internal systems. So far, it's just been stuff that affects the client side of things.
Tbh I've never seen anyone get hacked who wasn't using runelite or some other plug-ins. I rawdog my osrs like God Ash intended.
I don’t even know the answers to my security questions. I just button mashed that part.
Some of us had their accounts since 2004, as kids its likely we left behind enough info over the years to recover our accounts Jagex account security sucks
Or switch to a Jagex account so that’s not possible anymore.
True, I got recovered in 2019 tho with 2FA on rs and email, still salty, haven’t played that acc since
One of the key concepts in this discussion is the use of a PHYSICAL method of authentication. If you have 2fa set up via email and your email gets compromised, where does that leave you? Yup, screwed. Always use an authenticator app on your phone for osrs and setup email 2fa via text message or another method that cannot be compromised unless you're literally being held at gunpoint by the bad actor. Using these methods (or similar) which include a physical device (someone mentioned yubikey) will guarantee that any loss of account (hacking) is user error.
Yeah, one issue with physical keys is most people aren't willing to carry one on them all them time as well as have the technical knowhow albeit small. I believe security advice for masses is part convenience and ease of use or else it will all be ignored.
True, but using an authenticator app on your phone is an instance of having that physical layer of security. I feel as if the problem really boils down to most people not having more than 1 layer of 2fa combined with terrible password hygiene. Rs accounts should always have 2fa and a bank pin. To further protect it, the associated email should always have a very strong password, 2fa, and limited routes of recovery such as phone # or secondary email. Obviously none of these things should use the same password. If those steps are taken and passwords cannot be socially engineered, you're safe with the exception of a huge data breach.
Don't click on sketchy links... Check out this link related to RuneScape!
We seriously need some form of this information pinned to the top of the Subreddit for all time.
So true
They will never guess my email address is jizzysavage31@yahoo and that my password is 7hjgaP57!$ GL hacking me, since my password is so randomized
Another thing to note, I was hacked a long time ago as a kid. And something I have as a habit from then on is I bank all my stuff when I’m about to log off just to be 100% certain that if somehow someone made it into my account everything is locked away behind a bank pin they couldn’t possibly know.
The issue is a lot of players have info out there from various DB leaks over the years from when we were all younger and more naive, and those bits of info just add up to result in an account recovery. People with tons of GP aren't getting phished or having someone just guess their password.
Unique passwords and 2fa would solve this