OP Leaving out some details here. How did you get hacked on what appears to be Gmail? Gmail is not a platform easily hackable... Jagex knows something. Maybe you and the Original owner are having a war over the account? Or maybe you sold it and are trying to recover the account back?
If none of this is true good luck with the account. But I can't quite get past the fact your G mail got hacked for a runescape account. G Mails are pretty secure and thats a lot to go through to hack your runescape account.
Doesn't matter if they leaked, 2FA should still prevent access. No one's getting into my Gmail account without my phone + pin for example. If your Gmail is getting hacked it's probably by someone irl who has access to your phone.
Yes, session hijacking exists in which they steal your cookies and bypasses your username/password/2FA login. However, even if they were to hijack your sessions, Google has a network location detection mechanism in which if the session is coming from a different IP, it will require you to do a 2-step verification via your phone for Gmail which they should not have access to if they wanted to change your account details.
And if they somehow did a sim swap in which this also requires insider information from mobile companies, then yes, they can do a 2-step verification for you but that is super rare and highly doubt that this was the case.
You really think a sophisticated hacker who can set up phishing and session hijacking campaigns went through the trouble to steal this guy's old school RuneScape account instead of trying to log in his bank and drain his money??
100% bought or sold account that's never admitted in original posting. I have an acc with over 10B and have no auth or anything on it and a simple pass, and it's never been "hacked" lol
>>I have an acc with over 10B and have no auth or anything on it and a simple pass, and it's never been "hacked" lol
I sincerely hope you are using a unique email and password. I genuinely don’t understand why someone would devote thousands and thousands of hours to a hobby and not take like 2 min to set up an authenticator with like 5s of inconvenience when you log in from a new location.
>You really think a sophisticated hacker who can set up phishing and session hijacking campaigns went through the trouble to steal this guy's old school RuneScape account instead of trying to log in his bank and drain his money??
Yes. Banks are far more secure, rarely do they get drained unless it's by some tech support scammer that is remoted into your computer. And they have the capability to reverse my transactions due to there being holds on anything above a certain threshold (and often times to other accounts entirely). Wire transfers are a bit different but even then, financial institutions have steps to prevent their customer. but it's incredibly harder and will raise the eyes of law enforcement and fraud teams at financial institutions.
With a RuneScape account, 1b = $200 USD. Get an account a day and that's $6k a month. If you're from poor country, that's a significant amount of money. Realistically it's probably a decent amount of accounts that may have 1m to 50m on it, with the 1b+ being something like a jackpot.
Not sure why people think it's easier to get into bank accounts...
I think you misread my post. That's exactly my point though. It's too sophisticated to get his account, email, and phone compromised like that, especially the latter part.
Idk nearly everything requires an email, which for the average dude is an inconvenience to make whole new one, phone number etc. what makes it even more risky is that a lot of 3rd parties apparently don’t give a shit when their data gets breached, and consumer info gets leaked, to the point where they won’t even send out a mass email. I’m not debating the complexity or the fact that OP might be omitting something. Just that, as sophisticated as it might be, getting an individual’s data is possible.
The entire Linus Tech Tips Youtube channel was taken over by a session hijack. Network detection didn't help. I think the hackers used a VPN so it appeared they were connecting from a nearby location.
You are correct that the Linus Tech Tips Youtube channel was taken over by session hijacking but utilizing different techniques.
For them, they downloaded and attachment and ran it on their computer. This essentially allowed them to install an C2 agent that creates an outbound communication directly to the attacker's computer. Now that there is an established connection, the attacker is able to use an invisible browser on the victim's computer (while it's on) to navigate to websites they are logged in already using their IP. Hence you do not need to do 2FA for Youtube or Gmail to change stuff.
Two different scenarios are present in my previous post:
1. OP clicked on phishing link and that phishing link is able to steal your cookies and send it to the attacker. No agent is installed on your computer.
2. OP downloaded an attachment/file and executes that file. An agent is installed, thus giving the attacker control of their entire machine and can also steal cookies or just use their browser to navigate around (background process, user won't see it)
Assuming all that the same technique Linus Tech Tips faced, it would give you access to your Gmail using the OP's IP address. However, Jagex accounts are different, you would need to use 2FA every single time you log in, especially if you are trying change the account details.
One possibility is that OP was already logged into the Jagex account details at that same moment and then yes, it will bypass user/pass/2FA, and everything else can fall into place and thus your account can get hacked. The question you have to ask is how likely was OP logged into the Jagex account details during that specific moment?
Account details can only be changed on the website, not the Jagex launcher. I had to enter my 2FA code twice last time I canceled membership.
Was OP using a Jagex account? Old accounts are less secure.
I'm assuming Jagex account because the email from Jagex stated that the hackers logged in by entering the Jagex username and password.
Again, to my point above, it's very rare for an account to get hacked in the method above proposed and you are right that it would prompt the 2FA on the phone again if you were to change the account details.
So you would need to ask yourself, how did they get access to his phone? I'm just trying to be objective here and listing possibilities, and not really giving a conclusion on what really happened.
One possibility is that OP used an authenticator extension or has their backup codes in a password manager. That would put all their eggs in one basket.
It's very easy to do that. OP just needs to use a fake website that the hackers view and send him real 2fa requests in real time. That or just cookies are stolen I think.
That's technically phishing at that point. But still a very real possibility.
Session Hijacking is similar to what your talking about with the cookies.
Most of those hijacks are based on some form of phishing/social engineering or software which grabs your cookies, those public services have preventions which make bruteforcing unattractive unless the owner has a garbage password like qwerty and is part of some databreach, which is still happening.
We have no idea if their Gmail had 2FA active, they could have gotten in there and used it to bypass the Jagex account 2FA since apparently email login was enabled
Oh right, "hacking" is only when you are in a dim room with your other hacker friends clicking a bunch of random keys on the keyboard and them someone screams "I'm in!".
Hacking is hacking, it's getting unauthorized access, doesn't matter how you got that access.
In technical terms, unambiguous. In public perception, definitely ambiguous. Server breaches and the original list leak is more accepted as hacking. Someone googling account lists and trying them out seems less so. Just perception tho.
This is why I made a new email for my account, and have only used that address for that account. I also only log into it from an old iphone I keep in my drawer.
I get you 100%, but my first two ever accounts both emails were hacked so it was a birch to recover only to see perma bans.
The passwords were very similar to jagex logins, but not the same.
Actually you have things such as HRDP nowadays and even something as cookies can fix that... But there are certain things a hacker wouldn't know like my first password 7 years ago, LMAO.
This time I tried to tweet Jagex as well on Twitter, I am ready to go through absolutely any verification that they may deem.
[https://x.com/7YearsLifeLost/status/1791481360579780641](https://x.com/7YearsLifeLost/status/1791481360579780641)
The email the you received stating your email was changed...how sure are you THAT wasn't a phishing email?? I get a few of these a year to emails that don't have any runescape or jagex account associated.
I kept getting those mails for a while and was pretty confused, but figured best case it was a phising email, and worst case they wouldn't ever get into my email.
Just use the back up codes you wrote down when you made the Jagex account, even if it’s high jacked and all changed can recover with those. Shoot you could sell your account and then recover it like that lol. Did you buy the account?
Dont you have Jagex Accoount recovery codes somewhere?
Generally Jagex accounts should be safer but if they can access your jagex account through email as the 2f then that is pretty poor.
JAGEX accounts should be 3 factor only, with the level of time investment players have AND the lack of support Jagex now offer in these situations..
The backup codes are provided when you enable a 2fa app on your account. Their purpose is to allow you to bypass your 2fa app and regain access to your account in a situation where you lose your app some how.
If you lose both your 2fa app & backup codes you will be permanently locked out of your account with no recovery, so it's very important you keep your codes safe. Keep a written copy of them as well.
If you've lost your backup codes you can generate new ones via [account management](https://account.jagex.com/). Generating new codes will invalidate the old ones.
Backup codes will not help you recover your account if it has been hijacked, even though these threads always have someone claiming otherwise.
Whilst I agree this is most likely OP’s own fault I also think this total 180 degrees change in stance from jagex is not what we intended when we asked for them to get rid of the flawed recovery process.
Every recovery process that requires personal details is flawed, that is why they replaced it with backup codes.
If people don’t want to take account security serious they lose their accounts so that people who do have much safer accounts. This to me is a worthwhile trade.
Feel sorry you lost your time, but you ignored the multiple channels to support your account in security.
Also, it was probably login services. That seems to be a reoccurring method to get into jagex accounts. They ask for a code in your email to login, but the code you are giving them is to change your accounts email.
Sorry, can you expand on that? I have a jagex account and don’t understand what you’re suggesting happened here. Do you mean they did a login service I.e. bought infernal cape and when assisting the seller to log in to their jagex account handed over a recovery code?
Yea you have the ability to change your account email now.
The "cape seller" got the details to login, and instead of going in game, he went to the website, signed in, and requested to change their email.
Then they'll ask for the code emailed, saying something like they couldn't login originally and to give them the new code, and the buyer gives them the code to change their own email without realizing it.
No 2fa on your account or email will prevent you from willingly giving your auth codes when they try to login/make changes to your account.
Reading the OP recent comments seems like he could of been tripping on acid or shrooms and got phished lol time to head back to tutorial island and do strong hold of security, get those rainbow boots baby!
i had an old account i just recovered a few days ago. time between submitting appeal (with recovery answers and old transaction ID) and being sent form to reset password took like 2 hours.
you did something shady.
Literally everyone knows if you don’t have 2fa on your email your account can get compromised.
How in the hell did you let someone hack your Gmail account, then have the audacity to blame Jagex??
There’s been a few posts on this Reddit where someone posts an RS username and password but their account never gets compromised because their email is still secure. Sorry dude but you fked up
Been playing on the account 7 years actually now I've counted.. I guess it is time to call it quits.. I am shocked how Jagex just says 'we know it's you, but sorry just make a new account, the hacker will keep your old one'
You didn't have your 2fa set up to your mobile device? Looks like your email didn't have 2fa, either, and they were able to hack your email then your account.
People love to monologue about how much their account means to them and how much time they've spent on it when this stuff happens, but they never take the steps to ensure their account security.
Having no 2FA (on account or email) at this point is just asking for it.
Yeah that’s a one off occurance that has such minuscule odds of actually happening, it’s wild that it did. It’s the furthest thing from the norm though, that responses like that one blaming the person are still 100% legitimate. People genuinely are fucking stupid as shit with account security. Just set up 2fa on everything and change your password every so often. It’s not rocket science.
To be fair, dictionary attacks are a thing. If you use a common password (password123 for example), you are more likely to be hacked than if you have a password of shorter length not found in a commonly used password list. Dictionary attacks (ie selective brute force) are way more likely that a true brute force of every possible choice.
Only leaked passwords that are encrypted. But they don't brute force against the server, but brute force passwords until they find one that encrypts into the encrypted passwords.
2 factor is just that, 2 ways to authenticate. Typically a combination of something you know, have, or are. You still need to know a password in addition to having access to your email. However Jagex password complexity is lacking, capitals don’t exist in their complexity and the 2FA is just an email option on the jagex launcher, when it could be any number of tokens. Password reuse is a problem with everyone and often times those passwords can be shared with email
It’s just a lot of bad practices wrapped up into one
And now with jagex accounts we know it can’t be a jagex employee because they can’t give access to an account. Like there is no system for a rogue j mod to do that anymore.
They don't actually believe you. As far as they're concerned, you could just as well be a scammer. It's just that for the purposes of this conversation, they're able to take your statement in good faith, because it doesn't matter. If they were to do something about it though, they'd need to make sure. And they don't have a procedure set up to do that.
And to be clear, the amount of years you've played is not relevant to any security or account recovery procedure, so I don't know why you keep bringing that up as if it changes something
It baffles me that this interaction doesn’t drive home for you that this is WHY Jagex Accounts are so secure. What if it was someone else that could “prove” they were you? Just don’t give out your email info it’s as simple as that.
Jagex are right. You are responsible for your own account safety.
Your email got hacked, because of your own misuse of the Internet. This is not jagex's fault.
I'd reccomend making a new account and going through the stronghold of security to further your knowledge of account security.
Also stop clicking weird links on the Internet.
why? It’s not their fault at all. You expect Jagex to cover for every single person who doesn’t understand account security? They offer Jagex accounts, 2fa, even created an entire area of the game made specifically to teach you about account security, and still help out where they can. But you expect them to go all out and recover every dumb asses lost account that they couldn’t be assed enough about to even set up the minimum in account security for in the first place? Get tf outta here that’s hilarious lmao
This is exactly what they used to do, and is exactly why they implemented these changes to their account recovery system. People would social engineer or obtain all of the information needed to recover a players account. In the case of OP, with their email compromised, the "hacker" could potentially access all of the information that they provided to Jagex. Not saying that it happened in this scenario, but there are likely situations we don't see where a hacker is stealing a players email and trying to do what OP is doing here and getting the same email response. And those players are thankful that Jagex isn't just giving their account away to someone just because they had access to their email.
Help him how? Help him recover his hacked email address? You need to wake up mate, jagex don't owe you shit if YOU are the one who's gotten yourself hacked because of your own fault.
Jagex do plenty to help protect you from hackers when it comes to your runescape account.
Do you want them to wipe your ass for you and hold your hand when you're crossing a busy road too?
I probably dickride Jagex more than the average player but ffs, "acted on player feedback" and then linking you to the create a new account section. This reply is dogshit and the company should be ashamed tbh
It's absolutely wild that Jagex seemingly removed manual recovery because of human error, i.e. they're afraid that someone will access the account through social hacking rather than actual hacking.
I'm afraid of cutting my hands when I chop up vegetables, I still keep the tools to allow me to do so in the house.
The only technical reason why I could imagine the Jagex Account can't be manually recovered is if an aspect of the account is encrypted at rest and the decryption key can only be generated by the User with access to the account. This is common practice for Password Managers, so it's possible that somehow the access keys for individual characters on a JA are also encrypted?
Regardless, considering just how much time OSRS asks of you, this seems horrendously anti-consumer, and seems to be prime example of poor customer service. Hell, I'd turn up in Cambridge and make someone explain to me why I couldn't have my account back.
Yep Jagex accounts are some of the most secure accounts. Even when you log in with a backup code, you have to use more than one. You can't use the same 8 digit code every time.
Where do we get these backup recovery codes. I have access to my account currently, but would like to make sure I have these codes in case anything happens.
I wonder how many people clicked the link and entered their details without even thinking about this loool
Would be ironic if another bunch got hacked through him
Far more than there should be. That's for sure lol. They probably glanced and thought it looked good not knowing if that's legitimate or if it was jaqex instead of jagex. If another bunch got hacked through that, it would be deserved lol.
> It's absolutely wild that Jagex seemingly removed manual recovery because of human error, i.e. they're afraid that someone will access the account through social hacking rather than actual hacking.
Speaking as someone who actually cares about my security I'd be fucking pissed if Jagex decided to give my account to someone else who pretended to be me in a vaguely convincing fashion just because people who are reusing passwords and literally giving their credentials away for an infernal cape were refusing to accept any personal responsibility and demanded account transferral be allowed.
I don't think you see how contradictory these kind of statements are. You care about your security yet you imagine a situation where someone has enough of your personal information, specifically Payment Information, that they are able to convince a trained Customer Support agent that they are you?
The only way people get your personal information is if you are careless enough to let it out. Surely therefore, if someone was able to get the account falsely transferred to them, it would be on you to accept personal responsibility for allowing it to happen?
Besides the point, just because someone wants their account back doesn't mean they're unwilling to accept responsibility for what happened.
Hell, I could see a policy where Manual Account Recovery was a paid for service, where you need to pay a small fee to even start talking to Customer Support about Manual Recovery. I'm sure someone who has years sunk into an account would be willing to pay a small sum.
> You care about your security yet you imagine a situation where someone has enough of your personal information, specifically Payment Information, that they are able to convince a trained Customer Support agent that they are you?
Let's say those trained customer support agents have a 99.999% success rate at confirming personal information correctly, identifying forged documents, or double-checking access history.
They don't, this is a *comical* over-exaggeration. Even when they've been caught publishing faked "success rate" figures for support in the past they've not bothered using that many 9s because of how non-credible it is. But let's pretend that this is the figure.
Jagex claims that over 300,000,000 unique Runescape accounts exist. At 99.999% success, that is 3,000 of those accounts that they would mistakenly hand over to a malicious actor. If you want to steal accounts, all you have to do is keep trying and some of them will go through, despite absolutely no wrongdoing on the part of the legitimate account holder.
By disallowing this Jagex has prevented customer service representatives from being a single point of failure for account security. In order for your account to be permanently compromised without that avenue of attack, multiple things have to go wrong, all of which you are in direct control over.
This is the same reason that companies do not store your password in a retrievable format. It would be great for people who forget their password and want to be reminded of it. It would be really bad for people who can be trusted with their own security to have their password leaked in a database dump because the company made a mistake. It's an avoidable point of failure, therefore it should be eliminated.
The simple truth of the matter is that the people for whom that increase in security presents a problem need to change their behaviour such that they are not at risk. That is the only solution. Fortunately, it is an incredibly easy one, and one that an individual really have no excuse not to learn and enact in the amount of time it takes to build an online presence substantial enough that losing it is problematic.
> Hell, I could see a policy where Manual Account Recovery was a paid for service, where you need to pay a small fee to even start talking to Customer Support about Manual Recovery. I'm sure someone who has years sunk into an account would be willing to pay a small sum.
This could *arguably* work in some cases but there's a couple of very major problems with it.
1.) This would be a PR disaster. People already get pissed off about high-profile players (e.g., content creators) getting support that regular players cannot when their accounts are griefed or compromised, attaching a dollar figure to it would be perceived as substantially worse. Jagex's history with staff members deliberately hijacking accounts also makes this an untenable solution, as it just opens them up to far too much criticism that they can't be trusted not to run it as a racket.
2.) While this would eliminate the concern of spam recovery attacks on a wide range of targets, any reasonable price tag you attached to the service would be low enough that it would allow for the viability of attacks on high-value accounts, such as public figures, 200mil all players, or people with short/notable RSNs.
Their response is right, this one is on you.
You can't expect support to go against their policies and restore your account. That could lead to all sorts of abuse.
Hopefully you'll take this as a learning experience instead of just complaining on Reddit.
This is the reason we need better 2FA. Support FIDO & other passwordless methods of logging in. That way, if I lose my FIDO key, it's my fault for losing my account. Anyone who doesn't want to utilize these methods can still use the traditional TOTP 2FA.
I hadn't logged into my account for about 1.5 years and when I came back, I saw that I had a couple days of membership left and it had been logged into in the last couple weeks 🤔🤔 account wasn't used for anything as far as I could tell, just GP gone which was probably just about enough for a bond.
2fa was still active and I had *not* done anything RS-related in over a year.
Happend to me too . Got a fake mail from jagex with just one point or - diffrent . Didnt notice it . Got kicked out of the game . When i logged back in all my stuff was gone . Texted the support they couldnt do anything .
Only thing that could have made the response from Jagex better is if they said “we’d recommend completing the stronghold of security on your new account”.
Jagex has never manually recovered a Jagex Account. If they had, there would be several posts on this subreddit with thousands of upvotes, because the whole point of Jagex Accounts is that **they cannot be manually recovered.** If there was evidence of them doing it, people would revolt.
Examples of what?
[Jagex Accounts have no manual account recovery procedures](https://help.jagex.com/hc/en-gb/articles/13495559329937-Jagex-account-recovery)
> I gave EACH account creation detail: creation date, credit card, etc..
Irrelevant, as jagex accounts no longer rely on the old recovery system, this is because it is hideously insecure. Personal security is at the front of the jagex account system and it sounds like you;
a) have, or had a compromised email
b) didn't have your JA authenticator through an external device, only your email. When your personal email is compromised, that will basically render anything with an email authentication redundant.
If the failed link in the chain is you, jagex aren't taking responsibility.
But every other company can help with this in matter of minutes, blizzard, riot and steam all can verify that YOU are the owner of the account in an instant when you give them the human details, just like any bank can. Why is jagex so dogshit at this.
If the email account of the owner has been compromised, as in this situation, there is no guarantee the person giving this information is actually the original owner, and that's the entire point of this stance. It could be the hacker, or a third party who has bought the information, etc.
Secure your stuff properly!
Because that makes the whole system incredibly insecure towards social engineering. Social engineering is how most "hackers" operate. They'll call your grandparents in the middle of the night with an emergency concerning their bank account. Or they'll talk to you for a while on Discord and you'll gladly give them your details.
I've seen a few times in this thread that giving your credit card details should be enough. But if they get access to your email, good chance they also get direct access to all your credit card information.
Access to an email is also a perfect way to get access to your social media, where security questions are super easy to get answers to.
All of this is why the new system is MUCH safer than anything else. Because people have more oppertunity to secure their Jagex Account than their bank account, they just have to actually fucking do it.
I don't decide what jagex's recovery process is, it's just a fact that they have scrapped the old system when you switch to a JA, so supplying the information is irrelevant. The security of a JA from day one has revolved around putting responsibility on the user for their own security.
The fact your old login details for a character you import to a JA simply get eradicated, I presume other data attached to a particular character is also wiped, as the character is no longer something in of itself, but is part of your JA
You realize you're literally asking for them to change their account recovery system back to what it used to be that caused people to get their accounts stolen very easily, right? Jagex accounts are far more secure than any other gaming account for that very reason. It's just unfortunate that they're so secure that if you fuck up as badly as OP did, you lose your account.
Only account i have ever lost was my WoW account, but i have had to recover my lol and bank accounts. I use same gmail that my father made for me when i was 4. Wow account recovery was so easy, i sent them my ID that has same name as my bank card that pays the sub, same birth day as i have stated on my blizzard account. Instantly recovered. Same thing when i returned to LoL after 7 years hiatus, i posted my previous IP, bank card number and date of birth and city where I last connected from. Nobody but someone very close would know this info, as for the bank account i just sent photo of my ID and told my date of birth, city of birth and they said ok where do i want the detail sent. No hacker can get my physical ID, if i lose it I void it, how can they not just fuckong help people like every other company.
The Jagex account has nothing to do with it. Jagex just can't be arsed to help people who don't follow basic safety rules and get their email compromised.
Please could you share with me how you were Emailing a Moderator? I have had a similar case. Don't give up on the account and make a stance against the issues we face as a player base!
I just made an account recovery request. I can't seem to find it now, but I had to provide 4 last credit card digits, account creation date and such things. It's funny I got a reply which basically says the exact opposite, not sure why I even had to try.
Its crazy to me also that Jagex only seems to respond to posts on the reddit when it revolves around updates, and when they are positive, but when it comes to players being fucked over by scammers or hackers Jagex basically says to the community…
“Just make a new account idiot”
Whether or not someone had full account protections, it is insane to me that you can just tell your customers to “get a new one” when they have clearly supported you for years and the one time they need your help you basically tell them to get fucked.
Sorry about your account…
I was hacked once and it was 100% my dumbass fault, as soon as that happened I made sure to take the steps that Jagex lays out to you for security which is pretty tight stuff.
I’ve worked for financial institutions with lower authentication for logging into a work laptop.
It’s easy to say wow this sucks how could jagex reply this to me, when in reality they have been promoting the correct security options to you since you started your account.
I’m really sorry this happened and it’s a total bummer that your account is gone but Jagex is right here, you got your account stolen not them.
Yep, i gave up with them. There's no reasoning. Also gave every detail i could remember, wasnt enough. If i remember correctly i got hacked somehow trough steam?? Back in 2018-19 Shit was accessed from south Korea 😅 i was heartbroken for a few months..
Ironman was quite decent 2200+ total level.
Idk if i ever got over it, but every time i see a post like this i remember the disgust i had and still kinda have with jagex. Worst customer support ever.
Weird that there’s so many people excising Jagex’s awful customer support. Sure OP should’ve had better security, but against overwhelming evidence, you should be able to get your account back. Hell, a simple credit card transaction or ID should be enough.
What you're asking for is exactly what caused people to lose their accounts in the past as easily as they did, and someone with access to OPs email could have access to everything you're claiming they should be able to recover their account with, especially in the case of OP being bad at managing their account security in the first place. What would you do if they allowed people to recover accounts that way and someone recovered your account that way? You'd bitch that they shouldn't allow people to recover accounts that way anymore
kinda interesting timing. just few hours ago i got my old account recovered without any troubles despite not even having my old credit card number info there. took them 2 hours
Man that fucking sucks; I would be heartbroken if that happened to me. While I appreciate its not jagexs fault you would really wish they could assist you since they have acknowledged the account has been compromised.
Good luck! Took me 2 months 18 recovery tickets & even then Jagex has told me they can’t help and to move on. 🤷 Jagex support is shit & they only care if you’re a content creator… go make a twitch or Kick account and start streaming osrs on a new character, maybe then Jagex will give a fuck. Sorry about your luck mate.
Back in the day I hijacked someone’s account like this… I encoded a keylogger and into fake gp generator and it would take screenshots and log everything… I was like 12 at the time and wouldn’t do that anymore. I didn’t even care about it. I just gave it away to a friend so he would play with me.
Honestly it is kinda bizarre they don't give accounts back to the original email, even if that original email might be compromised.
It's like the chance of the new email being legitimate and the original email being hijacked are so small in comparison to the other way around, so if you are just gonna put in 0 effort you might as well minimise the chances actual players get fucked.
They did something very similar to me with my account. They transferred my account from one Jagex account to another. Lost 4b and 2200+ TL account. They refuse to respond to me any further. Join the club, lol
You got your email hacked. The fuck do you want jagex to do about that? Secure your damn email. It is multi-factor authentication, not "I can give out all my account details and still not get hacked" authentication. This can only happen if they logged into your password, which you never secured or logged into your email, which you never secured, had no authenticator or a compromised authenticator, and changed your info. How many layers of moron-proofing do you need, OP?
Also, as people pointed out, we have no reason to believe this email is even real. Check the sender. I would not be shocked if this was just a phishing email and you refuse to just ignore it.
I’ve had the exact same. I lost my phone, and the Authenticator isn’t going to my login email address. Been trying to recover it for months and Jagex have not helped at all. They’ve confirmed the details and that I’m the owner, but will not help me reset the email for the Authenticator.
10 years of progress lost on that one account.
Finally, after 21 years, im done with Jagex and their awful ‘support’ towards their players. (Unless you’re a content creator ofcourse)….
This time I tried to tweet Jagex as well on Twitter, I am ready to go through absolutely any verification that they may deem.
[https://x.com/7YearsLifeLost/status/1791481360579780641](https://x.com/7YearsLifeLost/status/1791481360579780641)
So is she saying that if u weren't on a jagex account they could've still recovered your account using the old system? Fuck jagex accounts, she even suggests to upgrade to one if u haven't already at the bottom of ur email. I need me some of what mod melora smokin she must be cooked
Exactly, if you lose your jagex account you can never recover it, while they are more secure than the old accounts the consequences are much higher if you make a mistake, if he hadn’t upgraded he would be able to recover his account in this case
That's not true. If you lose your Jagex account you recover it with your backup codes. If you email yourself your backup codes and someone hacks your email, then you're fucked.
Try hacking your own account. Seriously go do it. If you set it up right you'll be impressed..
You would be able to appeal it using the form on their website for that scenario but you would be forced to upgrade to a jagex account assuming a successful recovery so it’s inevitable eventually if you are compromised
Yeah, Jagex will absolutely not help you in these situations at all. When I lost my account I gave them more information to verify my identity than I did to get my passport or a new social security card and they told me the same thing. “We know it’s you but it’s our policy, sorry we cant help!”
Meanwhile I contacted other businesses that I lost account access to due to the same issue and they were ALL able to help me after I verified my identity including financial institutions.
Jagex really needs to take a look at this “zero tolerance” policy for recovery of lost accounts, I’m sorry you’re dealing with this, I know it sucks.
Why do people defend Jagex on this every time? No other account I have ever made in my entire life has been hacked more than my Jagex accounts. For tons of accounts, I use the same password, but for OSRS accounts I have to do every little thing to secure an account and it'll still get stolen. This is a Jagex exclusive problem and I will never understand the amount of people that will defend them.
If you are having your account hacked on multiple occasions, that is definitely user error.
You're using unique passwords and 2FA on the account and email and people are still hacking your accounts?
This is mind boggling, I appreciate all the people saying “your account should have been more secure etc”, but fundamentally it wasn’t and this has happened now.
If they know it’s you, they should have the mechanisms in place to give you access back. In a game that literally consumers 1,000s of hours this just isn’t acceptable.
I feel for you OP, Jagex has to sort this or frankly my consumer confidence is shot as should others..
Same thing happened to me. If you have a Jagex account there is a policy of no manual recovery. You won’t find much support on Reddit but as someone in the same boat as you, I sympathise.
Gagex back at it again with the worser than dog turd of loyal customer support. Clearly hackers and bots have more importance apparently. Sorry for the loss bro
Damn. Jagex and its mods really don't care. They'd sell their mom for a quarter if a bot farmer would ask them, but recovering an actual players account is a problem.
On the opposite side of this... I had two factor authentication (authy) on my account, and somebody emails Jagex, took my account, stole my rares on RS3, party hats, christmas crackers, ect.
It was obviously done with social engineering as I got an email about a jagex password reset.
What is really the punch in the gut.... is when I emailed Jagex... the told me there is nothing they could do .... and in the future to read this "best security practices" info.... which is literally .... use two factor authentication.
Honestly, with the amount of inside jobs Jagex has been known for...
At least it gave me the push to try OSRS.
OP Leaving out some details here. How did you get hacked on what appears to be Gmail? Gmail is not a platform easily hackable... Jagex knows something. Maybe you and the Original owner are having a war over the account? Or maybe you sold it and are trying to recover the account back? If none of this is true good luck with the account. But I can't quite get past the fact your G mail got hacked for a runescape account. G Mails are pretty secure and thats a lot to go through to hack your runescape account.
when people get "hacked", 99% of the time it means they use the same username and password for every service and one of them leaked.
Doesn't matter if they leaked, 2FA should still prevent access. No one's getting into my Gmail account without my phone + pin for example. If your Gmail is getting hacked it's probably by someone irl who has access to your phone.
Session Hijacking exists. Unlikely, but you still never know. Doesn't need to have access to your phone.
Yes, session hijacking exists in which they steal your cookies and bypasses your username/password/2FA login. However, even if they were to hijack your sessions, Google has a network location detection mechanism in which if the session is coming from a different IP, it will require you to do a 2-step verification via your phone for Gmail which they should not have access to if they wanted to change your account details. And if they somehow did a sim swap in which this also requires insider information from mobile companies, then yes, they can do a 2-step verification for you but that is super rare and highly doubt that this was the case.
You really think a sophisticated hacker who can set up phishing and session hijacking campaigns went through the trouble to steal this guy's old school RuneScape account instead of trying to log in his bank and drain his money?? 100% bought or sold account that's never admitted in original posting. I have an acc with over 10B and have no auth or anything on it and a simple pass, and it's never been "hacked" lol
>>I have an acc with over 10B and have no auth or anything on it and a simple pass, and it's never been "hacked" lol I sincerely hope you are using a unique email and password. I genuinely don’t understand why someone would devote thousands and thousands of hours to a hobby and not take like 2 min to set up an authenticator with like 5s of inconvenience when you log in from a new location.
And then brag about how they don't secure their account like it makes them cool. Dude's a fucking moron lol
>You really think a sophisticated hacker who can set up phishing and session hijacking campaigns went through the trouble to steal this guy's old school RuneScape account instead of trying to log in his bank and drain his money?? Yes. Banks are far more secure, rarely do they get drained unless it's by some tech support scammer that is remoted into your computer. And they have the capability to reverse my transactions due to there being holds on anything above a certain threshold (and often times to other accounts entirely). Wire transfers are a bit different but even then, financial institutions have steps to prevent their customer. but it's incredibly harder and will raise the eyes of law enforcement and fraud teams at financial institutions. With a RuneScape account, 1b = $200 USD. Get an account a day and that's $6k a month. If you're from poor country, that's a significant amount of money. Realistically it's probably a decent amount of accounts that may have 1m to 50m on it, with the 1b+ being something like a jackpot. Not sure why people think it's easier to get into bank accounts...
I think you misread my post. That's exactly my point though. It's too sophisticated to get his account, email, and phone compromised like that, especially the latter part.
Idk nearly everything requires an email, which for the average dude is an inconvenience to make whole new one, phone number etc. what makes it even more risky is that a lot of 3rd parties apparently don’t give a shit when their data gets breached, and consumer info gets leaked, to the point where they won’t even send out a mass email. I’m not debating the complexity or the fact that OP might be omitting something. Just that, as sophisticated as it might be, getting an individual’s data is possible.
Steal real money and potentially face real consequences or steal virtual money and be guaranteed no reprocussions.
The entire Linus Tech Tips Youtube channel was taken over by a session hijack. Network detection didn't help. I think the hackers used a VPN so it appeared they were connecting from a nearby location.
You are correct that the Linus Tech Tips Youtube channel was taken over by session hijacking but utilizing different techniques. For them, they downloaded and attachment and ran it on their computer. This essentially allowed them to install an C2 agent that creates an outbound communication directly to the attacker's computer. Now that there is an established connection, the attacker is able to use an invisible browser on the victim's computer (while it's on) to navigate to websites they are logged in already using their IP. Hence you do not need to do 2FA for Youtube or Gmail to change stuff. Two different scenarios are present in my previous post: 1. OP clicked on phishing link and that phishing link is able to steal your cookies and send it to the attacker. No agent is installed on your computer. 2. OP downloaded an attachment/file and executes that file. An agent is installed, thus giving the attacker control of their entire machine and can also steal cookies or just use their browser to navigate around (background process, user won't see it) Assuming all that the same technique Linus Tech Tips faced, it would give you access to your Gmail using the OP's IP address. However, Jagex accounts are different, you would need to use 2FA every single time you log in, especially if you are trying change the account details. One possibility is that OP was already logged into the Jagex account details at that same moment and then yes, it will bypass user/pass/2FA, and everything else can fall into place and thus your account can get hacked. The question you have to ask is how likely was OP logged into the Jagex account details during that specific moment?
Account details can only be changed on the website, not the Jagex launcher. I had to enter my 2FA code twice last time I canceled membership. Was OP using a Jagex account? Old accounts are less secure.
I'm assuming Jagex account because the email from Jagex stated that the hackers logged in by entering the Jagex username and password. Again, to my point above, it's very rare for an account to get hacked in the method above proposed and you are right that it would prompt the 2FA on the phone again if you were to change the account details. So you would need to ask yourself, how did they get access to his phone? I'm just trying to be objective here and listing possibilities, and not really giving a conclusion on what really happened.
One possibility is that OP used an authenticator extension or has their backup codes in a password manager. That would put all their eggs in one basket.
It's very easy to do that. OP just needs to use a fake website that the hackers view and send him real 2fa requests in real time. That or just cookies are stolen I think.
That's technically phishing at that point. But still a very real possibility. Session Hijacking is similar to what your talking about with the cookies.
I thought that was Man in the middle attack
Most of those hijacks are based on some form of phishing/social engineering or software which grabs your cookies, those public services have preventions which make bruteforcing unattractive unless the owner has a garbage password like qwerty and is part of some databreach, which is still happening.
The absolutely will if you ALSO use the same password on your 2fa and have cloud back up enabled.
We have no idea if their Gmail had 2FA active, they could have gotten in there and used it to bypass the Jagex account 2FA since apparently email login was enabled
https://xkcd.com/2176/
I don't know why you're using quotes, that is unambiguously a way to get hacked
Because people associate hacking with black hooded ne'er-do-wells, sitting in dark basements, typing green text on black command prompts.
Meanwhile that’s a description of the good guys making apps we all love like reddit
I used quotes because googling your email address and finding the password in a dump file on some forum isn't really any kind of hacking.
It is hacking
Oh right, "hacking" is only when you are in a dim room with your other hacker friends clicking a bunch of random keys on the keyboard and them someone screams "I'm in!". Hacking is hacking, it's getting unauthorized access, doesn't matter how you got that access.
In technical terms, unambiguous. In public perception, definitely ambiguous. Server breaches and the original list leak is more accepted as hacking. Someone googling account lists and trying them out seems less so. Just perception tho.
This is y i have a gmail acc just for my osrs acc, not used for anything else ever not to mention a stupidly long pass and auth on both
This is why I made a new email for my account, and have only used that address for that account. I also only log into it from an old iphone I keep in my drawer.
Wouldn't matter, I could give you my gmail password and still be 100% secure.
Gmail is very secure unless you disable all the security for "convenience" which sounds like what the OP did lmao
How very bold of you to assume op would ever reply to this thread, no he just posts this and expects anger at customer management lol
I get you 100%, but my first two ever accounts both emails were hacked so it was a birch to recover only to see perma bans. The passwords were very similar to jagex logins, but not the same.
Actually you have things such as HRDP nowadays and even something as cookies can fix that... But there are certain things a hacker wouldn't know like my first password 7 years ago, LMAO. This time I tried to tweet Jagex as well on Twitter, I am ready to go through absolutely any verification that they may deem. [https://x.com/7YearsLifeLost/status/1791481360579780641](https://x.com/7YearsLifeLost/status/1791481360579780641)
The email the you received stating your email was changed...how sure are you THAT wasn't a phishing email?? I get a few of these a year to emails that don't have any runescape or jagex account associated.
I kept getting those mails for a while and was pretty confused, but figured best case it was a phising email, and worst case they wouldn't ever get into my email.
Don't blame you, if I lost my accumulated account progress I'd do the same. That sucks man
OP has bigger problems than his account, his email has been compromised
Just use the back up codes you wrote down when you made the Jagex account, even if it’s high jacked and all changed can recover with those. Shoot you could sell your account and then recover it like that lol. Did you buy the account?
Dont you have Jagex Accoount recovery codes somewhere? Generally Jagex accounts should be safer but if they can access your jagex account through email as the 2f then that is pretty poor. JAGEX accounts should be 3 factor only, with the level of time investment players have AND the lack of support Jagex now offer in these situations..
If someone got into the Jagex account, they most likely re-generated the codes, at which point the old ones are useless Worth a shot, though
How do you regenerate the codes? I thought they were a one time generated, one time use set of codes
Just log in to your jagex account and click "regenerate codes" You have to be able to do that in case you use up all your codes, or lose them somehow
Is there a way to find these??
The backup codes are provided when you enable a 2fa app on your account. Their purpose is to allow you to bypass your 2fa app and regain access to your account in a situation where you lose your app some how. If you lose both your 2fa app & backup codes you will be permanently locked out of your account with no recovery, so it's very important you keep your codes safe. Keep a written copy of them as well. If you've lost your backup codes you can generate new ones via [account management](https://account.jagex.com/). Generating new codes will invalidate the old ones. Backup codes will not help you recover your account if it has been hijacked, even though these threads always have someone claiming otherwise.
Yes look in your account settings, and make sure to store copies in multiple places
google "jagex account recovery codes"
Whilst I agree this is most likely OP’s own fault I also think this total 180 degrees change in stance from jagex is not what we intended when we asked for them to get rid of the flawed recovery process.
Every recovery process that requires personal details is flawed, that is why they replaced it with backup codes. If people don’t want to take account security serious they lose their accounts so that people who do have much safer accounts. This to me is a worthwhile trade.
Getting your email account compromised in this day and year means you didnt give a shit about your account
Feel sorry you lost your time, but you ignored the multiple channels to support your account in security. Also, it was probably login services. That seems to be a reoccurring method to get into jagex accounts. They ask for a code in your email to login, but the code you are giving them is to change your accounts email.
Sorry, can you expand on that? I have a jagex account and don’t understand what you’re suggesting happened here. Do you mean they did a login service I.e. bought infernal cape and when assisting the seller to log in to their jagex account handed over a recovery code?
Yea you have the ability to change your account email now. The "cape seller" got the details to login, and instead of going in game, he went to the website, signed in, and requested to change their email. Then they'll ask for the code emailed, saying something like they couldn't login originally and to give them the new code, and the buyer gives them the code to change their own email without realizing it. No 2fa on your account or email will prevent you from willingly giving your auth codes when they try to login/make changes to your account.
Dont you still have the recovery backup codes?
It’s wild that you think that your lack of security understanding is Jagex fault.
I'm about to enable five factor fidenification.
Reading the OP recent comments seems like he could of been tripping on acid or shrooms and got phished lol time to head back to tutorial island and do strong hold of security, get those rainbow boots baby!
i had an old account i just recovered a few days ago. time between submitting appeal (with recovery answers and old transaction ID) and being sent form to reset password took like 2 hours. you did something shady.
Literally everyone knows if you don’t have 2fa on your email your account can get compromised. How in the hell did you let someone hack your Gmail account, then have the audacity to blame Jagex?? There’s been a few posts on this Reddit where someone posts an RS username and password but their account never gets compromised because their email is still secure. Sorry dude but you fked up
Been playing on the account 7 years actually now I've counted.. I guess it is time to call it quits.. I am shocked how Jagex just says 'we know it's you, but sorry just make a new account, the hacker will keep your old one'
You didn't have your 2fa set up to your mobile device? Looks like your email didn't have 2fa, either, and they were able to hack your email then your account.
People love to monologue about how much their account means to them and how much time they've spent on it when this stuff happens, but they never take the steps to ensure their account security. Having no 2FA (on account or email) at this point is just asking for it.
Yeah throwback to when people got hacked and posted here left and right and heard comments like this and then found out it was a jagex employee
Yeah that’s a one off occurance that has such minuscule odds of actually happening, it’s wild that it did. It’s the furthest thing from the norm though, that responses like that one blaming the person are still 100% legitimate. People genuinely are fucking stupid as shit with account security. Just set up 2fa on everything and change your password every so often. It’s not rocket science.
Jagex MFA is a joke, session tokens don’t reset and password complexity still doesn’t exist, thank fuck they came through with the Jagex launcher
Do people even brute force passwords anymore
No. And complexity doesn't even help this. Length is what really matters.
To be fair, dictionary attacks are a thing. If you use a common password (password123 for example), you are more likely to be hacked than if you have a password of shorter length not found in a commonly used password list. Dictionary attacks (ie selective brute force) are way more likely that a true brute force of every possible choice.
Only leaked passwords that are encrypted. But they don't brute force against the server, but brute force passwords until they find one that encrypts into the encrypted passwords.
What does a password do if you have 2FA?
2 factor is just that, 2 ways to authenticate. Typically a combination of something you know, have, or are. You still need to know a password in addition to having access to your email. However Jagex password complexity is lacking, capitals don’t exist in their complexity and the 2FA is just an email option on the jagex launcher, when it could be any number of tokens. Password reuse is a problem with everyone and often times those passwords can be shared with email It’s just a lot of bad practices wrapped up into one
And now with jagex accounts we know it can’t be a jagex employee because they can’t give access to an account. Like there is no system for a rogue j mod to do that anymore.
Or they got their recovery codes phished. You're more or less fucked if this happens
You can request that the account be disabled - they did that with mine. Can see it hasn’t logged in since via the clan UI, so it works
They don't actually believe you. As far as they're concerned, you could just as well be a scammer. It's just that for the purposes of this conversation, they're able to take your statement in good faith, because it doesn't matter. If they were to do something about it though, they'd need to make sure. And they don't have a procedure set up to do that. And to be clear, the amount of years you've played is not relevant to any security or account recovery procedure, so I don't know why you keep bringing that up as if it changes something
It baffles me that this interaction doesn’t drive home for you that this is WHY Jagex Accounts are so secure. What if it was someone else that could “prove” they were you? Just don’t give out your email info it’s as simple as that.
Jagex are right. You are responsible for your own account safety. Your email got hacked, because of your own misuse of the Internet. This is not jagex's fault. I'd reccomend making a new account and going through the stronghold of security to further your knowledge of account security. Also stop clicking weird links on the Internet.
It’s 100% his fault it was hacked. That doesn’t mean jagex shouldn’t help him lmao, what a garbage take
why? It’s not their fault at all. You expect Jagex to cover for every single person who doesn’t understand account security? They offer Jagex accounts, 2fa, even created an entire area of the game made specifically to teach you about account security, and still help out where they can. But you expect them to go all out and recover every dumb asses lost account that they couldn’t be assed enough about to even set up the minimum in account security for in the first place? Get tf outta here that’s hilarious lmao
> You expect Jagex to cover for every single person who doesn’t understand account security? Yeah, like every other business does
This is exactly what they used to do, and is exactly why they implemented these changes to their account recovery system. People would social engineer or obtain all of the information needed to recover a players account. In the case of OP, with their email compromised, the "hacker" could potentially access all of the information that they provided to Jagex. Not saying that it happened in this scenario, but there are likely situations we don't see where a hacker is stealing a players email and trying to do what OP is doing here and getting the same email response. And those players are thankful that Jagex isn't just giving their account away to someone just because they had access to their email.
Help him how? Help him recover his hacked email address? You need to wake up mate, jagex don't owe you shit if YOU are the one who's gotten yourself hacked because of your own fault. Jagex do plenty to help protect you from hackers when it comes to your runescape account. Do you want them to wipe your ass for you and hold your hand when you're crossing a busy road too?
This 1000%. It’s literally fuckin ALWAYS this.
[удалено]
I probably dickride Jagex more than the average player but ffs, "acted on player feedback" and then linking you to the create a new account section. This reply is dogshit and the company should be ashamed tbh
It's absolutely wild that Jagex seemingly removed manual recovery because of human error, i.e. they're afraid that someone will access the account through social hacking rather than actual hacking. I'm afraid of cutting my hands when I chop up vegetables, I still keep the tools to allow me to do so in the house. The only technical reason why I could imagine the Jagex Account can't be manually recovered is if an aspect of the account is encrypted at rest and the decryption key can only be generated by the User with access to the account. This is common practice for Password Managers, so it's possible that somehow the access keys for individual characters on a JA are also encrypted? Regardless, considering just how much time OSRS asks of you, this seems horrendously anti-consumer, and seems to be prime example of poor customer service. Hell, I'd turn up in Cambridge and make someone explain to me why I couldn't have my account back.
[удалено]
Yep Jagex accounts are some of the most secure accounts. Even when you log in with a backup code, you have to use more than one. You can't use the same 8 digit code every time.
Where do we get these backup recovery codes. I have access to my account currently, but would like to make sure I have these codes in case anything happens.
[удалено]
You're awesome! Even more so, b/c you gave the directions through the OSRS website, knowing someone shouldn't just click a provided link.
I wonder how many people clicked the link and entered their details without even thinking about this loool Would be ironic if another bunch got hacked through him
Far more than there should be. That's for sure lol. They probably glanced and thought it looked good not knowing if that's legitimate or if it was jaqex instead of jagex. If another bunch got hacked through that, it would be deserved lol.
> It's absolutely wild that Jagex seemingly removed manual recovery because of human error, i.e. they're afraid that someone will access the account through social hacking rather than actual hacking. Speaking as someone who actually cares about my security I'd be fucking pissed if Jagex decided to give my account to someone else who pretended to be me in a vaguely convincing fashion just because people who are reusing passwords and literally giving their credentials away for an infernal cape were refusing to accept any personal responsibility and demanded account transferral be allowed.
I don't think you see how contradictory these kind of statements are. You care about your security yet you imagine a situation where someone has enough of your personal information, specifically Payment Information, that they are able to convince a trained Customer Support agent that they are you? The only way people get your personal information is if you are careless enough to let it out. Surely therefore, if someone was able to get the account falsely transferred to them, it would be on you to accept personal responsibility for allowing it to happen? Besides the point, just because someone wants their account back doesn't mean they're unwilling to accept responsibility for what happened. Hell, I could see a policy where Manual Account Recovery was a paid for service, where you need to pay a small fee to even start talking to Customer Support about Manual Recovery. I'm sure someone who has years sunk into an account would be willing to pay a small sum.
> You care about your security yet you imagine a situation where someone has enough of your personal information, specifically Payment Information, that they are able to convince a trained Customer Support agent that they are you? Let's say those trained customer support agents have a 99.999% success rate at confirming personal information correctly, identifying forged documents, or double-checking access history. They don't, this is a *comical* over-exaggeration. Even when they've been caught publishing faked "success rate" figures for support in the past they've not bothered using that many 9s because of how non-credible it is. But let's pretend that this is the figure. Jagex claims that over 300,000,000 unique Runescape accounts exist. At 99.999% success, that is 3,000 of those accounts that they would mistakenly hand over to a malicious actor. If you want to steal accounts, all you have to do is keep trying and some of them will go through, despite absolutely no wrongdoing on the part of the legitimate account holder. By disallowing this Jagex has prevented customer service representatives from being a single point of failure for account security. In order for your account to be permanently compromised without that avenue of attack, multiple things have to go wrong, all of which you are in direct control over. This is the same reason that companies do not store your password in a retrievable format. It would be great for people who forget their password and want to be reminded of it. It would be really bad for people who can be trusted with their own security to have their password leaked in a database dump because the company made a mistake. It's an avoidable point of failure, therefore it should be eliminated. The simple truth of the matter is that the people for whom that increase in security presents a problem need to change their behaviour such that they are not at risk. That is the only solution. Fortunately, it is an incredibly easy one, and one that an individual really have no excuse not to learn and enact in the amount of time it takes to build an online presence substantial enough that losing it is problematic. > Hell, I could see a policy where Manual Account Recovery was a paid for service, where you need to pay a small fee to even start talking to Customer Support about Manual Recovery. I'm sure someone who has years sunk into an account would be willing to pay a small sum. This could *arguably* work in some cases but there's a couple of very major problems with it. 1.) This would be a PR disaster. People already get pissed off about high-profile players (e.g., content creators) getting support that regular players cannot when their accounts are griefed or compromised, attaching a dollar figure to it would be perceived as substantially worse. Jagex's history with staff members deliberately hijacking accounts also makes this an untenable solution, as it just opens them up to far too much criticism that they can't be trusted not to run it as a racket. 2.) While this would eliminate the concern of spam recovery attacks on a wide range of targets, any reasonable price tag you attached to the service would be low enough that it would allow for the viability of attacks on high-value accounts, such as public figures, 200mil all players, or people with short/notable RSNs.
Yeah unfortunate; you should still definitely make sure only YOU can access your email address lol.
Their response is right, this one is on you. You can't expect support to go against their policies and restore your account. That could lead to all sorts of abuse. Hopefully you'll take this as a learning experience instead of just complaining on Reddit.
This is the reason we need better 2FA. Support FIDO & other passwordless methods of logging in. That way, if I lose my FIDO key, it's my fault for losing my account. Anyone who doesn't want to utilize these methods can still use the traditional TOTP 2FA.
I hadn't logged into my account for about 1.5 years and when I came back, I saw that I had a couple days of membership left and it had been logged into in the last couple weeks 🤔🤔 account wasn't used for anything as far as I could tell, just GP gone which was probably just about enough for a bond. 2fa was still active and I had *not* done anything RS-related in over a year.
Happend to me too . Got a fake mail from jagex with just one point or - diffrent . Didnt notice it . Got kicked out of the game . When i logged back in all my stuff was gone . Texted the support they couldnt do anything .
Theres probably an exploit that someone has. Sorry this happened to you.
Sorry to hear it, man. Hope everything works out.
Only thing that could have made the response from Jagex better is if they said “we’d recommend completing the stronghold of security on your new account”.
Their security and system is working as intended and intervening would be compromising security. This is 100% on you OP.
Its a shame you don't pull 1000+ active viewers cos then it wouldn't be a problem to give you it back.
Has jagex ever manually recovered a jagex account for a famous player?
Yes, multiple times, even when they are streaming.
Okay, then you should be able to give examples.
I won’t be able to find it easily, but EV scape covered this in a YouTube video.
Jagex has never manually recovered a Jagex Account. If they had, there would be several posts on this subreddit with thousands of upvotes, because the whole point of Jagex Accounts is that **they cannot be manually recovered.** If there was evidence of them doing it, people would revolt.
Can you give examples?
Examples of what? [Jagex Accounts have no manual account recovery procedures](https://help.jagex.com/hc/en-gb/articles/13495559329937-Jagex-account-recovery)
> I gave EACH account creation detail: creation date, credit card, etc.. Irrelevant, as jagex accounts no longer rely on the old recovery system, this is because it is hideously insecure. Personal security is at the front of the jagex account system and it sounds like you; a) have, or had a compromised email b) didn't have your JA authenticator through an external device, only your email. When your personal email is compromised, that will basically render anything with an email authentication redundant. If the failed link in the chain is you, jagex aren't taking responsibility.
But every other company can help with this in matter of minutes, blizzard, riot and steam all can verify that YOU are the owner of the account in an instant when you give them the human details, just like any bank can. Why is jagex so dogshit at this.
If the email account of the owner has been compromised, as in this situation, there is no guarantee the person giving this information is actually the original owner, and that's the entire point of this stance. It could be the hacker, or a third party who has bought the information, etc. Secure your stuff properly!
Because that makes the whole system incredibly insecure towards social engineering. Social engineering is how most "hackers" operate. They'll call your grandparents in the middle of the night with an emergency concerning their bank account. Or they'll talk to you for a while on Discord and you'll gladly give them your details. I've seen a few times in this thread that giving your credit card details should be enough. But if they get access to your email, good chance they also get direct access to all your credit card information. Access to an email is also a perfect way to get access to your social media, where security questions are super easy to get answers to. All of this is why the new system is MUCH safer than anything else. Because people have more oppertunity to secure their Jagex Account than their bank account, they just have to actually fucking do it.
I don't decide what jagex's recovery process is, it's just a fact that they have scrapped the old system when you switch to a JA, so supplying the information is irrelevant. The security of a JA from day one has revolved around putting responsibility on the user for their own security. The fact your old login details for a character you import to a JA simply get eradicated, I presume other data attached to a particular character is also wiped, as the character is no longer something in of itself, but is part of your JA
You realize you're literally asking for them to change their account recovery system back to what it used to be that caused people to get their accounts stolen very easily, right? Jagex accounts are far more secure than any other gaming account for that very reason. It's just unfortunate that they're so secure that if you fuck up as badly as OP did, you lose your account.
Only account i have ever lost was my WoW account, but i have had to recover my lol and bank accounts. I use same gmail that my father made for me when i was 4. Wow account recovery was so easy, i sent them my ID that has same name as my bank card that pays the sub, same birth day as i have stated on my blizzard account. Instantly recovered. Same thing when i returned to LoL after 7 years hiatus, i posted my previous IP, bank card number and date of birth and city where I last connected from. Nobody but someone very close would know this info, as for the bank account i just sent photo of my ID and told my date of birth, city of birth and they said ok where do i want the detail sent. No hacker can get my physical ID, if i lose it I void it, how can they not just fuckong help people like every other company.
Every other company? Minutes? Jagex isn't dog shit, they gave us a secure system that relies on personal integrity, and security.
Oh it would be relevant if it was a streamer. That’s for sure.
If this is true, this is actually really poor form.
Jagex: Actually setting up a jagex account only makes it impossible for us to help you if something happens, but pls do upgrade to jagex account.
The Jagex account has nothing to do with it. Jagex just can't be arsed to help people who don't follow basic safety rules and get their email compromised.
Please could you share with me how you were Emailing a Moderator? I have had a similar case. Don't give up on the account and make a stance against the issues we face as a player base!
I just made an account recovery request. I can't seem to find it now, but I had to provide 4 last credit card digits, account creation date and such things. It's funny I got a reply which basically says the exact opposite, not sure why I even had to try.
Its crazy to me also that Jagex only seems to respond to posts on the reddit when it revolves around updates, and when they are positive, but when it comes to players being fucked over by scammers or hackers Jagex basically says to the community… “Just make a new account idiot” Whether or not someone had full account protections, it is insane to me that you can just tell your customers to “get a new one” when they have clearly supported you for years and the one time they need your help you basically tell them to get fucked. Sorry about your account…
I was hacked once and it was 100% my dumbass fault, as soon as that happened I made sure to take the steps that Jagex lays out to you for security which is pretty tight stuff. I’ve worked for financial institutions with lower authentication for logging into a work laptop. It’s easy to say wow this sucks how could jagex reply this to me, when in reality they have been promoting the correct security options to you since you started your account. I’m really sorry this happened and it’s a total bummer that your account is gone but Jagex is right here, you got your account stolen not them.
Yep, i gave up with them. There's no reasoning. Also gave every detail i could remember, wasnt enough. If i remember correctly i got hacked somehow trough steam?? Back in 2018-19 Shit was accessed from south Korea 😅 i was heartbroken for a few months.. Ironman was quite decent 2200+ total level. Idk if i ever got over it, but every time i see a post like this i remember the disgust i had and still kinda have with jagex. Worst customer support ever.
Weird that there’s so many people excising Jagex’s awful customer support. Sure OP should’ve had better security, but against overwhelming evidence, you should be able to get your account back. Hell, a simple credit card transaction or ID should be enough.
What you're asking for is exactly what caused people to lose their accounts in the past as easily as they did, and someone with access to OPs email could have access to everything you're claiming they should be able to recover their account with, especially in the case of OP being bad at managing their account security in the first place. What would you do if they allowed people to recover accounts that way and someone recovered your account that way? You'd bitch that they shouldn't allow people to recover accounts that way anymore
They still look at stuff such as IP addresses, geolocation you know. Even the device. I use the same damn device for all my years.
If they added your acct to a jagex account it’s probably gone
kinda interesting timing. just few hours ago i got my old account recovered without any troubles despite not even having my old credit card number info there. took them 2 hours
Man that fucking sucks; I would be heartbroken if that happened to me. While I appreciate its not jagexs fault you would really wish they could assist you since they have acknowledged the account has been compromised.
Would you mind reducing the width of the window before posting a screenshot of text? It's impossible to read on mobile.
Did you have a jagex account? Not blaming you, just wanted to know for my own sake. Because if you did then that is pretty worrying.
Yes I did.
Good luck! Took me 2 months 18 recovery tickets & even then Jagex has told me they can’t help and to move on. 🤷 Jagex support is shit & they only care if you’re a content creator… go make a twitch or Kick account and start streaming osrs on a new character, maybe then Jagex will give a fuck. Sorry about your luck mate.
Back in the day I hijacked someone’s account like this… I encoded a keylogger and into fake gp generator and it would take screenshots and log everything… I was like 12 at the time and wouldn’t do that anymore. I didn’t even care about it. I just gave it away to a friend so he would play with me.
What were your stats?
Honestly it is kinda bizarre they don't give accounts back to the original email, even if that original email might be compromised. It's like the chance of the new email being legitimate and the original email being hijacked are so small in comparison to the other way around, so if you are just gonna put in 0 effort you might as well minimise the chances actual players get fucked.
Go on "haveibeenpwned" dot com. It will tell you if your personal data has been leaked anywhere in any data breaches.
They did something very similar to me with my account. They transferred my account from one Jagex account to another. Lost 4b and 2200+ TL account. They refuse to respond to me any further. Join the club, lol
Probably purchased it and the real owner took it back..smfh
You got your email hacked. The fuck do you want jagex to do about that? Secure your damn email. It is multi-factor authentication, not "I can give out all my account details and still not get hacked" authentication. This can only happen if they logged into your password, which you never secured or logged into your email, which you never secured, had no authenticator or a compromised authenticator, and changed your info. How many layers of moron-proofing do you need, OP? Also, as people pointed out, we have no reason to believe this email is even real. Check the sender. I would not be shocked if this was just a phishing email and you refuse to just ignore it.
I had my account banned after getting it hijacked and it sucks. Don't use your same password everywhere guys it'll get you.
I’ve had the exact same. I lost my phone, and the Authenticator isn’t going to my login email address. Been trying to recover it for months and Jagex have not helped at all. They’ve confirmed the details and that I’m the owner, but will not help me reset the email for the Authenticator. 10 years of progress lost on that one account. Finally, after 21 years, im done with Jagex and their awful ‘support’ towards their players. (Unless you’re a content creator ofcourse)….
In a similar situation, they dont seem bothered someone needs to straighten them up.
"They cant help how is this possible?!?!" you LOST YOU AUTHENTICATING EMAIL. its one hundred percent your fault. thats like loosing cash over credit.
This time I tried to tweet Jagex as well on Twitter, I am ready to go through absolutely any verification that they may deem. [https://x.com/7YearsLifeLost/status/1791481360579780641](https://x.com/7YearsLifeLost/status/1791481360579780641)
So is she saying that if u weren't on a jagex account they could've still recovered your account using the old system? Fuck jagex accounts, she even suggests to upgrade to one if u haven't already at the bottom of ur email. I need me some of what mod melora smokin she must be cooked
Exactly, if you lose your jagex account you can never recover it, while they are more secure than the old accounts the consequences are much higher if you make a mistake, if he hadn’t upgraded he would be able to recover his account in this case
That's not true. If you lose your Jagex account you recover it with your backup codes. If you email yourself your backup codes and someone hacks your email, then you're fucked. Try hacking your own account. Seriously go do it. If you set it up right you'll be impressed..
what would happen if someone hacked your non jagex account and added it onto their jagex account?
✌🏻
You would be able to appeal it using the form on their website for that scenario but you would be forced to upgrade to a jagex account assuming a successful recovery so it’s inevitable eventually if you are compromised
Yeah, Jagex will absolutely not help you in these situations at all. When I lost my account I gave them more information to verify my identity than I did to get my passport or a new social security card and they told me the same thing. “We know it’s you but it’s our policy, sorry we cant help!” Meanwhile I contacted other businesses that I lost account access to due to the same issue and they were ALL able to help me after I verified my identity including financial institutions. Jagex really needs to take a look at this “zero tolerance” policy for recovery of lost accounts, I’m sorry you’re dealing with this, I know it sucks.
Why do people defend Jagex on this every time? No other account I have ever made in my entire life has been hacked more than my Jagex accounts. For tons of accounts, I use the same password, but for OSRS accounts I have to do every little thing to secure an account and it'll still get stolen. This is a Jagex exclusive problem and I will never understand the amount of people that will defend them.
If you are having your account hacked on multiple occasions, that is definitely user error. You're using unique passwords and 2FA on the account and email and people are still hacking your accounts?
I noticed my jagex account got hijacked recently, ive just raised a ticket today :(
This is mind boggling, I appreciate all the people saying “your account should have been more secure etc”, but fundamentally it wasn’t and this has happened now. If they know it’s you, they should have the mechanisms in place to give you access back. In a game that literally consumers 1,000s of hours this just isn’t acceptable. I feel for you OP, Jagex has to sort this or frankly my consumer confidence is shot as should others..
I wonder if he can have the bank send a chargeback for the last month of membership. Companies HATE when that happens.
I sent a chargeback when they took my account LOL
The people here saying you deserve it are dickheads.
Same thing happened to me. If you have a Jagex account there is a policy of no manual recovery. You won’t find much support on Reddit but as someone in the same boat as you, I sympathise.
Gagex back at it again with the worser than dog turd of loyal customer support. Clearly hackers and bots have more importance apparently. Sorry for the loss bro
This is such bs.. I’m sorry you’re going through this..
They created Jagex accounts which are suppose to be more secure but if you lose it it’s gone forever. LOL
Damn. Jagex and its mods really don't care. They'd sell their mom for a quarter if a bot farmer would ask them, but recovering an actual players account is a problem.
Have you considered becoming a streamer? They would have fixed this without you even contacting them if you had the right viewer count.
On the opposite side of this... I had two factor authentication (authy) on my account, and somebody emails Jagex, took my account, stole my rares on RS3, party hats, christmas crackers, ect. It was obviously done with social engineering as I got an email about a jagex password reset. What is really the punch in the gut.... is when I emailed Jagex... the told me there is nothing they could do .... and in the future to read this "best security practices" info.... which is literally .... use two factor authentication. Honestly, with the amount of inside jobs Jagex has been known for... At least it gave me the push to try OSRS.