They're Locking RuneScape Accounts for Pay
ฝัง
- เผยแพร่เมื่อ 21 ส.ค. 2024
- ✅ My OSRS Figurines & Gifts: crumb.store/
- Code ‘20off’ at checkout for 20% off your order - available for the first 10 people
Today’s mini documentary covers the recent outbreak of OSRS Account Locking Services. These people are offering to lock players out of their RuneScape account for a fee and it is only possible because of Jagex’s flawed login system. I talk about why it is happening and how you can protect your own account.
Credits
MichaelRS Video:
• Getting Scammed by Ret...
My Links:
►Twitter / crumbosrs
►Instagram / crumbosrs
►Patreon / crumbyt
►Oldschool Runescape (2007) is provided by Jagex.You can play for free here. www.oldschool.r...
![[UNCUT] “อภิสิทธิ์” ครม.อุ๊งอิ๊ง แย่งเก้าอี้กันฝุ่นตลบ “ทักษิณ” บงการเอง Iคนดังนั่งเคลียร์I 21ส.ค.67](http://i.ytimg.com/vi/a_b-kItw2jY/mqdefault.jpg)
✅ My OSRS Figurines & Gifts: crumb.store/
- Code ‘20off’ at checkout for 20% off your order - available for the first 10 people
the airfresheners are hella neat
Just placed an order an hour or so ago. Hope my jad turns out as good as the one in the videos!
Thanks a bunch! The one Hanner was showing in the video will be what yours looks like too :) and of you're unhappy I offer free returns for the money back (no ones used this yet!)
runescape claimed to have security updates this year at runefest but theres only a month left and they really have fallen short of their promised goals
Yo you're selling boss figurines but not iconic characters like Gnome Child bust or buying gf guy?
Cows, Rune chest plate drop, coin stack (on grass tile), life size runes etc
Thank you for bringing this more attention. It's pathetic how top players like Woox and Zezima can't play their accounts for literal years and Jagex still hasn't fixed it.
Someone needs to create one of these services and target b0aty faux mmorpg mr mammal and whatever big-name twitch streamers there are and see how long it takes for them to fix it lol.
they would be able to play them if they just changed their login to an email like they were offered, but they are stubborn loser nerds
Supposedly jagex offered zezima to change the login to his email on twitter, but he never responded
Woox is currently going through this. Have you not seen his league acct name? Its literally Cantlogin
@@austiniscoolduh why would he tho dumb offer
Jagex: we care about our game!
Game literally falling apart
Jagex: this is fine.
Jagex honestly needs to focus MOST of their man power on this issue. Security is MUCH more important than fun game updates. This is absolutely game breaking, and Jagex is a multi hundred million dollar company. This is completely unacceptable in a modern internet age, and should be fixed as soon as possible.
Completely agree with this. Their priority should be SECURITY of their player's accounts.
Probably understaffed, underfunded, over stressed workers to make those millions
but muh jagex does everything it can do ! the mods are so nice !
'Fun updates' are created by content creators, who have no understanding of security issues. You cant just tell them to stop making updates and invest time into security because they arent the right people for the job..
@@TinyMaxfer he’s talking about jagex as a company, not about their content creator team(s). That’s obvious and your comment is stupid.
Jagex fix your damn game security, its 2020 almost 2021 ffs. This isnt 2007 anymore.
The real jagex grew old and retired, these new guys are just cashing in.. the only thing they brought to the table was rs3 and that was a huge flop.
What surprised me most is they literally *give* your information away with minimal social engineering tactics. It's like these devs don't know a single good practice. It's pathetic.
jagex is part of this shady shit
as a programmer the solution is pretty easy, just change the api endpoints and request a modern captcha every 5 requests or so like they use on their main website
Exactly. Tons of papers on the proper way to implement these systems. An overhaul is the solution, not cobbling another fix on an ancient system
Programmer here aswell, this is just terrible api design and should be very easy to fix for Jagex. Almost unbelievable the api is designed like this...
well if you've seen the going rates of pay at jagex you have your answer...
I feel like this system wouldn't work well because there are other services out there that charge a little amount to solve those captchas
As a programmer you should realize that this is not a sufficient solution. You can easily solve captchas programmatically without human interaction. An actual easy way to solve this issue is using an IP whitelist to disallow any unwanted login attempts. If your IP is whitelisted you may attempt to proceed to login and use the current system.
Some british teen saying hes gonna mobilize a swat team to your house over runescape my lord
I would just laugh at these morons trying to scare you into giving stuff 😂 I would just say yeah okay bye and leave the call
why do they literally all sound the same too, all northern british guys who are aged 16-21
@@kylejones1532 just laugh they're empty threats. And if they're discovered they go to prison. New laws with extradition will surprise them.
@@kylejones1532 yeah exaclty you just go alright then lock my fucking account I'll just play a different game cya later
@@ErosExMachina We don't consider northerners English its okay
This scares me. Just straight up scares me.
its horrible, I got hacked this way some months ago, I couldnt login for days and when I finally manage to get in I was almsot clean..
at this point im just thinking to start grinding a second account so when my main gets hacked it hurts less.... i guess
Have 2 step on email worst thing they can do is lock you out of the account for abit only way they can access ya email then is if they have ya phone lol
if Gagex would actually pay someone with real skills about hacking/engineering methods/systems to break the game, this would have been PREVENTED
@@AnOliviaShapedGremlin IMO the people who do this are people that are younger and very good with computers, student like people testing their abilities. They know how little risk is involved when manipulating a game like this has..
You know it's scary when it's 2020 and Jagex still doesn't let you use special characters and uppercase letters for your password.
Uh. It has for a while now. Caps wise
@@MonaGC. no it doesnt, go try and get back to me
@@MonaGC. hes correct, your password on runescape is not case sensitive
I have illegal characters in my runescape password.
Excuse me? If your password isn't case sensitive then they're storing their password in plaintext so if someone gets in their databases, they have all passwords, rather than hashes or having to bypass encryption.
Disgusting. I sincerly hope that no one has to get hurt before Jagex takes action. By that I mean I don't want to see a swatting related shooting, suicide due to harassament and doxing or anything like that.
All of the above happens to Conservatives on a regular basis.
How to get a login?? contact customer support, jagex does leak that info
their acc recovery is the biggest compromise to acc security
they rely on billing details and other stupid stuff that in no way is a real secret so it just makes hijacking jagex easy
Have you ever tried to recover an account? It’s not as easy as ppl make it out to be. When I was trying to recover my account, I needed a Ridiculous amount of info, beyond just billing info. I assume many people can’t even recover their own accounts if they tried because they don’t have enough info. Someone would have to have a lot of data leaked from hacking/db breaches in order for someone to have their account recovered. The majority of hacked accounts are happening because of recovery, mainly hacked emails or other things like that
dont flex on g.e this will probl save your ass too
The accounts first ever used password used to work very well
@@noobsaywhat I suspect these people running the log-in attempt macros to block people from accessing their accounts and charging/blackmailing them money for returned access are wise to not target the famous players like B0aty, Mr Mammal, A Friend and Torvesta, but rather the numerous rich players who possess most/all BIS gear in the game but lack any known reputation in the community and are 'nobodies' in the sense that few people care about them, as that way they'll get a lot of money out of these people (be it in-game currency or real life money) without attracting the 'wrong attention' so to speak by targeting Jagex's 'golden boys', meanwhile the rest are left to rot and fend for themselves, courtesy not of Jagex themselves but their master from an 'exotic' foreign land indeed who have fooled some by pretending to now being American via the use of a shell company of sorts.
*Ah, the joys of OSRS's darker side of the community! :P*
@@pakazemuk not really, relying on a single password is like building a house over quicksands
Osrs needs optional yubikey logins, just like military stuff
Customer support is idiot-friendly, but for users with a yuge $ bounty in the game, its so flawed and insecure as jagex can be hijacked, if not yourself
One super big tip and problably something that will end up fixing this.
Since rs3 is on steam you can connect your osrs and steam account and bypass this to many login attempts bug.
And i would assume same thing will work on osrs once it comes out on steam
Edit: should work if your account is linked to phone too :)
If this really works, please like the hell out this comment ^
@@robbecrabbe6426 it does cause you entirely skip the login screen i have tried it. (For now its rs3 only tho)
@@PingvinuzDamn, would be an easy fix!
If you are able to log in on the website and have an Android, try this;
1) Log in on the website
2) In settings, under 'Linked Accounts' link your Google account to RS
3) Log in using Google via your Android phone on the RS app
This worked for my friend to bypass the same thing
@@alperdogan6760 oh yea you should work the same maybe if you have it linked thru phone
If this is happening to you, try to log in on mobile, the “play now”button works even when your pc is locked out. After being logged in on mobile for 10-30 mins, log back in with pc. Works every time.
If you have to type password for mobile it’s the same problem unfortunately. And you have to wait. But having mobile logged in is the only tool I know of to combat the issue. Also, change your password. The log in issue hasn’t happened to me in a few weeks now.
Like if this helped you
Steam version also works its the same system as the mobile login
Do you log in on mobile, then change password, and then log out of mobile, and log right away in pc? what exactly do you do? Cause I dont think it worked for me
@@Szklar changing password does nothing, but if you're on mobile you can bypass the too monay tries thing because it's an active session, then play a few minutes on mobile, logout and immediately go online on your PC
@@observer3984 I'll give it a shot thanks for the advice
This is currently happening to me, however it doesn't let me log in to mobile either.. Same error. I checked and my account isn't locked though. What should I do?
Great video man, very informative.
rust moment
Start uploading again
Of COURSE ReturnOfWilderness is in that call, I'll pretend to be surprised for just a minute.
Just press accept
It's years old at this point, ROW is gone
@@omgsurfer the channel is gone but he's still very active scamming and black market
Row is a pos
He scammed me too. He's the biggest scumbag in runescape.
Finally non leagues content to CONSUME
Its the dmm content that kills it for me
There was leagues content in the background.
So true
Lmao they're like the OsRs Mafia, paying for a protection fee
"That's a nice Runescape account ya got there.... Be a shame if... Something happened to it, I'm gonna make you an offa you can't refuse"
Underrated comment 😂
Botting: Jagex brings in data scientists and machine learning and still fails
Brute force attempts: Account wide locks, not even limited to the attacking IP.
I'm really started to realize Jagex is kind of a laughing stock.
Less of that and more that hackers / black hats / exploiters are getting much scarier than they used to be.
@@HebiSnake but how can jagex not fix the login spam? There's a way even if it takes a lot of work. They gotta do it if they want to keep the longevity of the game healthy
@@seegreen6484 No shit they need to fix that problem I never said they didn't. But there will ALWAYS be some exploit or some shit that bad actors will use to their advantage. It'll take work and they need to do it, and I'm sure jagex will do so, but it takes some time to do that; it's not an easy solution that takes 5 minutes like people act like it is.
@@HebiSnake But this has many easy solutions. They just do not care unless it's public enough.
They can give an individual login limit for IPs that have already been used to login. Would fix very many cases.
They can say "Due to suspicious activity lately, confirm this login through email" etc. Very easy fix. They have a mobile app that can be used to confirm. 2fa can be used to confirm.
@@madcroc111 Just because a solution is straightforward conceptually does not make it simple to implement if you have to simultaneously alter/remove the existing system without having problems/security breaches in the process. The problem isn't the idea itself, but how to implement that idea without negative repercussions.
Just makes you not want to play this game anymore. It's just crazy...
From the toxicity, to scammers, to IRL threats, and crazy exploits like this. Runescape definitely ain't what it used to be anymore.
it was never different lul I still remember how I was threatened in skype calls as a little boy because a couple of scammers couldn't get their way. I would lie if I said that it wouldn't have scared me back then, but at least I stubbornly blocked instead of giving in
Plot twist: zezima is locked out because people covering this topic are false logging into his account to use the error for footage.
I never played this game, but after seeing few of the videos about this game, it seems like the overall quality of the game is at the same level as it’s graphic
I love how ironically having an OG log in name is probably the most secure your account can be (as long as you have name changed).
Yeah I was thinking that, just let people have the classic login name and character name, no email to leak, no back door hacks just type it in or keep logged in and maybe authentication to your recovery email changes, stop all of it
This isn't social engineering. People need to stop using the term so loosely...
I don’t even play RuneScape, never have and probably never will but these topics are so interesting. And for that sir you earned my sub
btw no one should try searching their login on that rs breach site as they track search data on the site. kinda surprised crumb didn't say that
Holy shit this is such a strange game in so many ways xD I hope it never dies
I love how these companies willingly give out information if you socially engineer it well enough for whomever you're talking to at the support center. What makes it funny is that all these companies say "we will never ask for your information" to prevent scams.
It never seizes to amaze me how theirs always some shenanigans going on in rs and someone’s always up to some bullshit. Love the vids crumb 👍🏼
@adawbwa no there’s kid not there you fucking idiot
@adawbwa learn to spell idiot
I would gladly use that website to lock JMod accounts and see the payment as a donation to the osrs community.
Being locked out daily! The reason I've left the game and stopped making videos. Wish Jagex would offer a solution.
I remember your streams/vids! You’re a pker, right? Anyway, facing the same issue here. Someone’s brute forcing my login and there’s nothing I can do about it. Any luck?
Jagex doesn't give a fuck. Why I haven't played in 6 years. Enjoy your content through.
I’m a victim of the spam login bs... Jagex really needs to fix account security and now.. it’s 2020 ffs
I am also a victim of this scam :/ I was wondering how they got my deets...
try changing networks, worked for me once.
@@huntershonour2433 that's actually even worse tbh
@arch btw not how it works u tard
@arch btw did you even watch the video...? And actually pay attention..?
Quickest way to sort these things out is to come togethet as a community. If most people stop playing the game for a few days they might realise that they need to do something. As long as everything is going o as usual and they hit daily player targets they wont care.
I recently have been hacked and i have no clue how since i have two step authenticator . For the past two keeps I have been unable to log in with the " too many log in attempts message" that should had been a red flag for me to register a new email and password . I was at my parents house and downloaded runelite , got on for 5 minutes and logged off . The next day I logged in and all my valuables estimated in 300m+ were gone . The person even wiped my pots and food and strangely kept other things in the bank to seem like my account wasn't touched . I feel like I fell for a phishing site but then again i downloaded rune lite from the official website so idk what happened honestly . I have registered a new email with 2SA and changed the password about 3 times and I'm STILL getting locked from my account for hours before I can actually play again , idk what to do or what is happening , jagex replied to my email saying they will try their best to fix the problem and the best way I can play is through Steam 😢
this happened to me b4 and it scared the s*-*t out of me
The worst part is that it isn't even hard to fix this issue in general, they just have many badly engineered systems on top of each other.
Yo I swear to god this started happening to me like a week ago man wtf
Edit:
I was also rank 3 on leagues around the time and was suspecting being doxxed because of being top page .
Update: not had the login error for 3/4 days now, have been playing cold war mostly so the person must be watching my league ranks go down, Joynz is my ign if u want to see what my stats was at the time.
This reason is the biggest FU jagex can turn their heads on. like if i was approaching the top and i get locked out, i'd practically quit.
@@conker1596 I was close to quitting till someone in the comments of a video said that the bug doesn't effect mobile users so I hopped on there and it worked perfectly, while I played mobile I kept trying to login on my computer till it gave me the message "your account is still logged in" then I knew the bug was over, also side note if you try change worlds while logged in it will also kick you out the game and give you that message after.
This is still an issue today, came home from work to this bullshit tonight. My account should be safe, it's just mad annoying.
thought i should let you know that when the guy told woox jagex gave him his info, he was trolling. jagex doesn't just hand over player info. i've tried to get the names of emails of accounts i'd forgotten in the past with zero luck.
Runescape is the only service I know where a password is not case sensitive. Login system is fucked.
It never ceases to amaze me how much shady and corrupt s*** goes down on RS. Just mind boggling
This was an incredible video! It's absolutely terrifying to see this happening, this is something that really needs to get fixed
This shit is scary .. and dark .. I’ve known about this flaw and I have a seperate RuneScape email written on paper with no linked emails and 2fa on everything from email to social media , bank pin , still I try my best to stay safe
With display names it’s a lot harder to find out info but there’s always a small chance .. stay safe yall
This is what happens, when a game studio get bought out by investors.
Its not about the game anymore. Its about the money.
Its really not the developers faults either, there told to focus on content, and things that get player engagement by there shareholders.
My bets, when this gets enuff stink about it that it might impact the share price. Then they will be told to do something about it. But it will be too late.
Blame Macarthur Fortune Holding for this. Even on there website its "Client first" And if you play RS your not the client, your the product.
I suspect these people running the log-in attempt macros to block people from accessing their accounts and charging/blackmailing them money for returned access are wise to not target the famous players like B0aty, Mr Mammal, A Friend and Torvesta, but rather the numerous rich players who possess most/all BIS gear in the game but lack any known reputation in the community and are 'nobodies' in the sense that few people care about them, as that way they'll get a lot of money out of these people (be it in-game currency or real life money) without attracting the 'wrong attention' so to speak by targeting Jagex's 'golden boys', meanwhile the rest are left to rot and fend for themselves, courtesy not of Jagex themselves but their master from an 'exotic' foreign land indeed who have fooled some by pretending to now being American via the use of a shell company of sorts.
*Ah, the joys of OSRS's darker side of the community! :P*
This seems more like a problem where the last person who knew anything about Runescape login servers left the company seven years ago.
Lol you sent me down a mad RuneScape TH-cam rabbit hole with the return of wilderness stuff 😂.
Crazy research man! Great video!
Awesome video brother. Crazy this is going on.
Not sure why I am watching this, but big thumbs up to you for making a product and selling your own creations. Way cooler than 99% of merch shills, good job.
And the community don't give a shit about this, they even defend it.
As a new player, last day I asked about taking membership but I wasn't so sure because some stuff like this happening.
I got called nitpicky, that those ain't problems, crybaby, etc just because I told them there was issues (and I also linked top posts of the subreddit telling very recent history about other kind of problems)
They don't care.
EDIT : when I created my account I was BAFFLED to see that the password dosen't accept special characters. This is a MAJOR security issue.
Yeah this is messed up
I get the log in attempt bug when I try and play with Nord VPN running on my PC, anyone else get that?
Also, great video man!
I literally had the bug yesterday and the only, ONLY solution that worked until it resolved itself somehow today, was to enable a vpn when logging in or world hopping
i Definitely think the bug is caused by VPNs, i get it all the time with mine
-I'm gonna send a SWAT team to your door
-really? What continent do I live on?
-...
-you know most continents don't have American SWAT?
-...
They do tbh
@@Not_Facts well no cause it's not american
I've been getting the "too many login attempts" prompt for at least three months, the only way around is setting a VPN with a different IP adress every time I try to login, otherwise it won't let me play at all. I hope they fix this once and for all.
i get the exact same issue mate :( have to do the same it's getting to be a joke now
Interesting. I get the message when I'm on a VPN
If you login through mobile it will bipass the issue (for android at least)
@@seegreen6484 Yup, as long as you use data.
@@gbvengeance3827 I suspect these people running the log-in attempt macros to block people from accessing their accounts and charging/blackmailing them money for returned access are wise to not target the famous players like B0aty, Mr Mammal, A Friend and Torvesta, but rather the numerous rich players who possess most/all BIS gear in the game but lack any known reputation in the community and are 'nobodies' in the sense that few people care about them, as that way they'll get a lot of money out of these people (be it in-game currency or real life money) without attracting the 'wrong attention' so to speak by targeting Jagex's 'golden boys', meanwhile the rest are left to rot and fend for themselves, courtesy not of Jagex themselves but their master from an 'exotic' foreign land indeed who have fooled some by pretending to now being American via the use of a shell company of sorts.
*Ah, the joys of OSRS's darker side of the community! :P*
imagine having your job be ruining a video game... pathetic. Thanks for making vids to highlight this issue man
i dont understand why jagex doesnt implement some sort of idea where you only allow certain ip adresses to attempt to bypass the time wait and to also login more than x amount of times an minute
as a rs3 player I am glad playing via steam bypasses this system so I cannot face the bug or extortion luckily
tbh everytime i see updates about runescape, its about scams, hacks, bots and it honestly makes me wanna quit
Having the authenticator present whether the password is correct or not is the correct procedure for 2-factor. Otherwise brute-forcing becomes extremely easy. Just FYI
This has just happened to me a year after you uploaded this video. I hope my account isn't being hacked. I don't even have that much
While this is a real issue, the only reason Zezima can't log in, is because he wants to log in with his name, instead of switching to an email. Jagex have contacted him saying that all he has to do is change to an email, and he will be able to log in. Kinda disingenuous.
Tell that to someone who has logged in with their username for years and because Jagex doesn't fix this issue he needs to change it? Nuhuh man
Why though? I've been logging in with just my user name since 2009 or so.
I know they switched it like a year later but it has never once requested me to change to an email.
Na. Easier to just fix this issue on their side rather than just making zezima change to an email
You can't just deal with hundreds of thousands of accounts changing to an email all of a sudden
I actually get followed by a lot of the names you see on the list they are also scammer accounts boyyyyyy this video shows no where near how bad it truly is
Gotta love how we use Zezima against Jagex. Luv ya Z!
Literally stopped playing OSRS only because of the community. This video shows perfectly how bad it gets, so sad.
i can relate to that, my accounts got banned simply because i got mass reported by some clan, ofc i appeal and get denied, then on twitter they tell me to appeal again, but nothing happens... its honestly sad how toxic the entire game has become
RS and OSRS have increased profits every year since 2015, Jagex really shouldn't be letting these problems slide just so they can develop flashy new content instead. Why not just reinvest some of irl mils they're making into important stuff that'll prevent your more committed from quitting
Two solutions I see would be:
1- Too many login attempts locks the IP, not the account
2- Two step login, no not authenticator, login. First login you can fail, it will never lock the account, second can fail and will lock it.
Exemple: First login Name is X and password is 123, second it lets you access the login for the accounts within X, you can't see what accounts are there and still need the password. Say Zezima is within the account X then someone would need to login to X then login to Zezima, you couldn't log in to Zezima directly.
This would mean a hell of a lot of work though for the accounts that already exist for both OSRS, RS3 and the website and probably needs something more reliable than "we've sent you an e-mail to create your first login account."
Lock by IP is more viable and easier to do for sure. There probably are thousands of ways to fix this issue though and my second one is probably way too complicated for nothing, but for whatever reason it came to mind during that video.
Blacklisting the IP is really the nobrainer right solution here. Sure, this means people can setup proxy farm to try bruteforce passwords with large enough proxies, but with strong passwords that is not a problem since it's so tediously slow.
This denial of service aspect of security sucks big time. Like, the least you could do is let the machine that has already logged in to account previously have priority / bypass the restriction.
1. How would that prevent anything? There are rotating proxies readily available with millions of IPs in their pool.
@@davidbergkvist8352 His point is that the account would not get locked after failed logins, only the IP would be timelocked to try login. This would render this malicious use useless as you could not lock the owner out of the account.
@@Tobykaani But that just defeats the purpose of the lock function. Do you think a hacker only has 1 IP? They could just remove the whole lock function then. The solution is to add an IP whitelist containing allowed addresses who may attempt to log in to the game. The whitelist should be editable on the website and not apply to website login.
@@davidbergkvist8352 People are not trying to hack the accounts, they are locking people out of their own accounts. They don't try 50 different passwords, they try the same abc123 50 times in a row so you can't log in.
A whitelist of IPs could work too, but then if they manage to hack your account they just have to log onto the website, remove your IP and add their own and it's GG, same old problem.
There is no perfect solution, there are just slightly better ones.
Two-Step auth needs to be more reliable too, as it is right now hackers can have it removed without you even being notified of it until you log in the next day and everything is gone.
WOW!....this is Greasssssyyyyyyyyyyyy never showing my email, also glad i use VPN protection, and not the free kind either ^-^
Thank God I'm not a noob and don't use an email to log in.
I'm facing the same problem now, I even tried making a fresh e-mail and a fresh osrs account and they won't work either, it's seriously annoying and it's disgusting that Jagex won't do anything for years now
have you tried using a vpn?
I have a separate issue with the "Too many login attempts" message. Sometimes when I try to log in using my home's internet, no matter what I do or what account I use it says "Too many login attempts". If I use a VPN or tether my phone to my computer, it lets me log in and I can even disconnect afterwards and play off my home's internet. Can't swap worlds or log out though or else I'll need to do it all over again.
but whats crazy is when i go to a friends few streets away i can login from his house...
How hard is it to integrate a third party authentication service? What is their database schema? How do they perform api validation? Have they used timestamp signatures? Honestly sorting out the pin verification is just a semantic issue. Always send, don't provide different responses based on what is there.
They could also have "verified" IPs for each user...like cmaaan
If you have to, two factor authentication.
this just solidifies the fact that Runescape is such an unhealthy game to play spiritually, physically and mentally and it's just not worth the time that you have to invest in it, imagine spending 10 years on something then all of that is stolen from you because the devs are too busy counting their bankrolls to even give a flip about you or the security of you're account. Really sad tbh
The website where you fill in your information to see if your account is breached seems like a honeypot made by hackers
@@DelPlays ummm dude, plenty of people use their email account for other services......this is an issue entirely made by Jagex, not Crumb. You're not making any sense bro...
@Bing Honeypots are basically fake infrastructure set to examine the attack against the honeypot. The concept you are referring to could be considered something else, maybe a weird type of phishing attempt? Its pretty sketchy though hahaha
@@DelPlays ihavebeenpwned is extremely credible
I have used haveibeenpwned for years. Helped get my non-tech savy family members to change their passwords since it easily explaines what websites have been breached and when it was. It's absolutely worth checking out.
@@wrytte Yeah I made the same mistake when I was younger. Now I use a password managing software for my PC and phone. Its a lot safer. Kinda like a makeshift SSO. Maybe in the future we'll have integrated SSO with websites? who knows. Temporary security tokens could be the future hahaha
I'm curious what OSRS runs on. Is it modern hardware or legacy hardware? Through personal experience upgrading security around applications while running on legacy hardware is a major pain and typically requires migrating everything to new up-to-date hardware which is very expensive, time consuming and has a lot of risks. For example, Blizzard struggled to get WoW classic to run on current architecture due to how outdated and incompatible it was. I wonder if OSRS has those same issues. Wish I could work with their IT team T.T
The strange thing is - having an account lockout is actually a security recommendation. Failure to have an account lockout is, according to the National Cyber Security Center (NCSC) and any penetration testing services, a vulnerability - since it leads to brute force attacks. The issue here is the implementation. Normally we'd expect to see either an IP account lockout (however this is bypassed by any VPN service) or a quick unlock method (since Multi-factor exists this is kinda easy to implement). In regards to the "username enumeration" - in that it's possible to work out the valid usernames/emails based on the authenticator response - yeah that's another security vulnerability that Jagex needs to look into. With regards to data dumps - nothing much Jagex can do about that, besides looking through the dumps themselves and ensuring no username:password combinations match those in the dumps. You'd be surprised how many websites are vulnerable to this style of attack (most common social media platforms are).
They could implement some CAPTCHA which would mitigate this very well.
I quit because i cant log in and when i do log in to do anything i have 30 people following me telling me im permed from doing anything i cant chop trees pk literally anything they find me in 5 seconds somehow and harass me everywhere i go i could record it and show you
How is it that Jagex hasn't been brought up by some kind of tribunal or some shit? You'd think with the amount of data breaches people exploit in this game, they'd at least be investigated as a company as to why this is happening. Instead it's like a complete black hole where the money goes because it certainly isn't going into maintaining one of the most important and fundamental things about any game... the security that allows you to play the bloody thing without fear of being targeted. Just knowing you can be a potential target for a laundry list of cyber threats in this game and that Jagex 90% of the time won't even help you, let alone resolve the issue, is an apocalyptic failure on the part of the company itself.
Thanks for posting my crumbsabum email address all over the internet. I appreciate that
Top tier content as always man, keep it up.
Thanks a bunch :)
Literally scarier than Covid
well, good thing none of my accounts are in any databases according to the search thing. That puts my mind at ease somewhat
My account is on one of those leaked databases. I was reckless with private servers when I was younger and lost many accounts including my rs account. I had to change my username and password combo. It was a lesson learned for sure.
This happened to me a few weeks ago, couldn't log in for a few days and even had to make a twitter account to contact Jagexs more than questionable customer support
Theyve locked my account, ive requested appeals for 1 year now so many times.
I zooka i.... was the account. 99 range 46 hp i cannoned alot. Spent countless hours and money. Dissapointed in the company to say the least
That sucks bro, it’s outrageous that Jagex is turning a blind eye to this and refusing to offer solutions.
scammers have such a big ego
like if i get scammed id be pissed of for likes 2 days then ill get over it
But scammers think they are game ending someone's life
They piss enough people off they are going to lose money. If I had to start from scratch because of this I would quit. They could fix it by just removing login attempts while they find a better way to solve it. I love playing OSRS but if I couldn't log in to the game on my main I would definitely quit. I could recover from a lost bank I can't recover from a lost account and that would be the end of me paying for membs.
The people threatening swats should be in prison. Theres got to be a way for discord to track them
There have been public discords filled with child porn and Discord did nothing about that.
Highly doubt they care about a few teens threatening with swatting.
I feel like if anything they should help out the biggest content creators. I know it’s a problem that effects more than just the big names but if the big guys don’t get taken care of. Then how can the average player think that there will ever be a fix?
Hopefully this will draw immediate attention to how terrible Jagex customer support is, and FORCE them to do something about it.
Omg zezeeeeema? Zezihma. Dang dude. That hurt my ears. I still liked and im subbed. Also if you read this can you make a fuss about Hans screenshots that are compromising accounts due to auto recovery process? If its dangerous why does Jagex promote it? (check their tweets) I made a post on the old school general section on the forums but I've been essentially laughed at. But who knows. They will never give me an answer on if it is safe and if so why not warn us. And if not then say so.
Did anyone else get the bot add for osrs like seriously. shouldn't that website or advertisement not be allowed on youtube. since its against runescape rules?
So this is why when i logged in today after getting too many logins all my items were missing?
They will never guess my username. My account is so old you need to know my original log in. Then on top of that my in game name is not the same as my username
They could just block attempts by ips so ur ip never gets blocked
But then people could just brute force and swap IP's when they hit limit
Why haven't they just made it appear locked for the person from that ip address? That way the main owner can login, even though the person sending login requests are spamming it.
i'm facing the " too many login attempts bug ", i can't login from my isp so i just connect to my mobile hotspot login then i reconnect back to my router, it's strange because sometimes it allows me to login from my router directly but at other times i have to switch to my mobile hotspot
my friend dropped his Iphone between his bed and a wall next to it. It tried to spam unlock the screen lock for days (back in times you could live few days without your phone easy) and it was locked for years :D
2:34 Its not really too complex to R.E APIs. Get postman and burpsuite and go to town, And I dont see why you couldnt flag an IP and MAC that has been pinging 1000+ wrong logins. Granted they will just switch IPs and continue the attack but seems like it could help
this is also how my acc was hacked and i lost tbow and much more jagex needs to fix this.
Why don’t they just temporarily ban every IP that tries a login except the one that actually enters the right authenticator code?