I really am lost on how this account was hacked, the same thing has happened to various players over the past few years, there are more videos to come on this topic but I would love to hear what you guys think about this down below!
With simply having someone’s phone number it is possible to rip all the data on your phone including anything you have saved to you google/apple/Microsoft account that is on your phone. Its possible to clone it etc everything. The jagex account cant really save it. Runescape accounts themselves could be targeted in much simpler ways, but the phone number is really all someone needs if they know what they are doing
Someone hacked a friend of mine, we went through his computer and i mean thoroughly and we didnt find a thing. I think they linked a steam account to his account afterwards.
I just realised I just blindy follow everything King says. If he tells me to put in a buy order for 1000 Mole Slippers at 5m each, I'll do so. If he tells me to sign up to Jagex accounts, I'll sign up before even watching the video. Praise this man.
The same thing has happened to my main 2 times. Had authenticator & bank pin set up and they still cleaned me. Only thing that makes sense to me is an internal runelite or jagex leak. I won't be convinced of anything else
Insane man, finished streaming after almost a 6 hour stream, then gets right into editing his videos for his consumers, what a sick lad, keep it bro, love seeing your subscriber count grow after every stream
I think Jagex should also look into doing Phone number authenticators too. So if someone is attempting to get into your account you will get a random Otp in your text and be like ok what dumbass is trying to hack me.
but how do you stop them? I got bruteforced this same way. Got like 6 emails a day about people requesting to reset my password. Emailed jagex, they didn't give a shit. Then they changed my pass, removed my 2fa, removed my pin, and took everything. Jagex's security is shit
SMS 2FA is insecure. For starters, it is unencrypted. Look up SIM Swapping attacks. Google Authenticate is leaps and bounds better. It is still vulnerable though, as is all virtual MFA.
@@8bitpotheaduse a stronger password that isn't shared across multiple accounts and services. Unless they have an account lockout mechanism, this is your only defence.
i just got hacked 2 weeks ago and they took 3.5b worth of gear off my account. Same thing, through my authenticator and bank pin. Checked my account and my computer and all of that, no idea how it happened. I still factory reset my computer just to make sure. I don't want to use the account anymore and don't want to rebuild because I'm scared they still have access somehow.
This exact shit happened to me and no one believed me. “It’s impossible to do without removing your 2fa” and so many other things I’m so paranoid to this day
You're correct that getting a keylogger is generally not something that "just happens". There are typically one of two ways: 1. A so-called "drive by" exploit is used. These exploits take advantage in known or unknown vulnerabilities in your browser, possibly in other software (ie: If you run a message app on your laptop someone could message you with one of these exploits"). If you keep your system up to date you are generally not going to run into these. 2. Social engineering. This is just being tricked into running the software (as in, as opposed to "engineering" a technical attack, I "engineer" the attack by using some sort of social trickery). This is easier to do than you think - for example, you might just open a word document and, depending on your version of Word, that can actually execute code without warning (via the Microsoft Word macros feature). Of course you may have just run the executable the normal way as well. Once the attacker has code execution on the machine keylogging is generally quite straightforward on Windows and Linux. I assume it's not that hard on OSX but I think it may actually be trickier on a modern setup. For Mobile I frankly don't know. I think (1) is not super likely to be the case just because it's relatively expensive. The interesting thing here is the Bank PIN, by far. We can assume that the password was leaked in any number of ways. For one thing, as far as I know, the older Runescape accounts have absolute dogshit in terms of password protection. I wouldn't be surprised to find that they're really easy to bruteforce into if the password isn't *very* strong. If he reused his password anywhere, or if he had any recovery questions (seriously, just set your recovery questions to a bunch of garbage - never put real information in there), that increases the likelihood. Even if he just used a *similar* password on another site it may have caused issues. But again, this leaves the pin. Couple of things. 1. Does he have the setting that requires the PIN after every log-in? Otherwise it is saved for 10 minutes. The attack here is obvious - if the attacker can log into the account they just have to try to do it while you're logged in and wait for you to log out. 2. The PIN may not have been random. Normally you'd have a 50% chance of guessing a perfectly random pin after about 5,000 tries. That's not really practical unless PIN failures can be tricked into not locking your bank. But I'd bet many people pick a specific year, for example the year that their account was created or a birth year. Was their pin random or did it have meaning? The authenticator is another big concern. Brute forcing an authenticator is perhaps possible in theory but practically I don't think it's likely. Certainly I would hope that they rate limit attempts, and detecting a bruteforce that requires ~500,000 attempts per minute for a 50% success rate seems like something any organization would notice even if they weren't looking for it (like, your ops team would notice before your sec team). So the question becomes - how did the attacker do it? You asked how a keylogger could bypass the authenticator, which is a good question. *Generally* the way an authenticator (like the one used with Jagex) works is that a "cookie" is stored when you successfully auth. This means you don't have to use the authenticator again on your next log-in and the cookie will be valid for 30 days. I don't know more details about what Jagex has done here but an attacker with either an XSS vulnerability on the runescape website *or* code execution on the laptop would basically be able to bypass the authenticator no problem (the former isn't likely IMO for various reasons so I won't expand much more on what that would look like). Alternatively, the authentication method (called TOTP) that Jagex uses is phishable - the attacker simply asks for the token. It's actually not a very useful mechanism for that reason, but it does prevent an attacker from just logging in with a password if you reused it on another site. 2FA is largely oversold in terms of its protection unless you're using a hardware key like a Yubikey or some other newer techniques. Stuff like SMS 2FA or TOTP are really quite bad. I noticed someone said "you can't leak authenticator" and you said "yeah for 30 seconds" - just to be clear, 30 seconds is more than enough since if that's the last step for the attacker *they're in* and they can maintain that access for ~30 days. To be honest, I think there is genuinely a good chance that they either have malware on their laptop that they logged in with or their mobile device (esp if they log in using Mobile). Given their use of authenticator I think that's the most likely option. Detecting that sort of thing after the fact can be really hard - your antivirus really might not be able to find it. There is a chance that Jagex had a leak. It's always possible. Attackers may have information and rather than doing a mass attack they just target players who they see hanging around with a ton of GP. If that's the case the only defense is really to change your password and PIN - not bad ideas, frankly, as the cost is pretty low even if the chance of a leak isn't huge. This assumes that the attackers no longer have access, however, which, who knows. My suggestion is that your friend backs up any important files, rotates passwords for important accounts like email, runescape, etc, factory resets his phone and his laptop, and is careful to only install apps and browser extensions that he can trust. Unfortunately it's just hard to say what happened here without a lot more information. It's perhaps worth Jagex opening an investigation as they should have far better logs about any accesses. Personally I don't have a Jagex account because I'm a linux user and it looks like a pain in the ass to do it. But Jagex accounts also appear to be safer, from what I've seen - the main thing is that you can "Login with Google", which basically means that Jagex doesn't even *have* a password or authentication materials beyond the Authenticator app, they literally just defer to Google to say whether you are actually you. Google is very good at this. Using this approach means you're less likely to get phished and your security relies less on Jagex. In theory if the attacker doesn't have full access to their network but perhaps, just as an example, they have coerced an engineer into giving them a couple of passwords or whatever, a Jagex account would protect you. Keep in mind that I'm playing kind of fast and loose here, I know very little about Jagex infrastructure or Jagex Accounts other than that I tried to make one for a couple extra bank slots and then realized it would fuck me as a Linux user. Source: Computer security professional. If you have any clarifying questions feel free to reply.
I'm not sure a data leak from Jagex is enough. They would need some serious vulnerabilities (such as session hijacking as others have mentioned) to bypass the 2fa. Our passwords are (typically) hashed, so even if there was a data leak with users accounts information, they would either have to take the dictionary offline and brute force it, or use legit account recovery processes, but seeing as how no one is getting those emails, it's most likely not that. That being said, based on what Jagex is advertising with the new Jagex accounts, it does sound like they have employed slow-hashing, which is great mitigation against brute force attacks. It slows down the amount of accounts hackers can get considerably and that alone is a good enough reason to switch.
The session token thing is just what your client uses to track that you are logged in, basically everything uses them because if they didn't you could never stay logged in to anything. While it's unlikely, the way this would work with OSRS is that someone would get access to the session token your buddy was using when he was logged in, and then re-use the same token to make the game think it's the same session as the previous one. This doesn't need the original PC to be on at the time of the account take over, just on when the person was stealing the token. Seems unlikely someone would do that for some randoms OSRS account, it's not likely something your random script kid would be capable of, so if this *is* how he was hacked, it was targeted as opposed to random, whether it's about who your friend is IRL, or maybe extreme wealth on the account. Overall, don't think this is what happened, just that it's possible.
i thought this also as best buy was repairing one of my computers when this happend to me and was the only explanation that someone got access while it was in their posession and copied the token from one computer and input it into their own client at home later however with this happening to others aswell i can rule out the probability of best buy having a private information leak.
does anyone think that its harder to get your account hacked if your login email was mistyped at the account creation and was changed to be correct after the fact.
theres a setting where bank pin is only needed after 15 mins after log out, if you log out and hacker logs in instantly, no bank pin needed if certain settings are used. basically you can log out, then back in within the time and bank just opens without pin.
After all that discussion, did anyone mention the possibility of a close friend committing the hack? Maybe I missed it if anyone suggested it. I know people want to trust their friends, but there are some dodgy people out there. I have on a few occasions trusted a friend on my account. I am a very secure person as well. If me, being the person I am, trusted a friend to be on my account once or twice, is it possible at all that this guy did the same thing and perhaps trusted the wrong person? Idk the details of how a friend would do it, but just an idea.
probably insider threats, someone from jagex is feeding accs. We've already had a trident and that other dude from ROT, so this wouldn't be far off. Theres also social engineering attacks, hackers eventually access the perimeter and then act as a silent reader or even leave backdoors in there. This game is old as hell, I wouldn't be surprised if people would do this kinda stuff
Really makes you think don’t it? Jagex has a terrible botting problem and it’s a private company. Who’s to say someone who works there isn’t setting stuff up like this on the back end. Embezzlement is a real crime that effects many other companies.
@@ownage11445 problem is video game companies are prone to these types of attacks, cod/wow/new world etc all of em have this stuff not just runescape. The difference between runescape and other games is that this game actually takes action on gold buyers/sellers. I could be on new world and buy 300k gold no problem and not be banned, in OSRS/RS3 thats different. Botting is always going to be a concern because that happens everywhere, think jagex is the only ones that actually make the attempt to proactively ban them. You also have this game thats run on a specific client that uses no form of anti-cheating detection client. it's all built into the game and monitored like that. If they simply just added a couple more security features that would pretty much solve most of their account hack problems. They also might not be fully following GDPR regulations either if this is happening often. If a players account is hacked, that essentially is their PII data, first/late/email/address/ CC information / telephone so they can be found violating these policies for not properly securing their customer data. Not siding with jagex on this either, took me 10 years to recover my childhood account, and i had to convince a reddit jmod by providing extensive proof. Not all employees are bad but theres usually 1-2 in a batch.
This happened to a friend of mine recently. I saw her log in for the first time in 6 months, and only for a minute. I messaged her on discord and she said that wasn't her. She logged in to find her bank pin was trying to be reset. They somehow got in passed her two factor. She works in cyber security and is always extremely careful with her credentials for anything.
this exact thing happend to me on september 5th on the rank 1 gim for nex and chambers. nothing was changed but i saw my own gim acc online right after turning on my computer and logging in my main to do a few flips at the ge before getting to the gim grind for the day.
@@MrRsErik My friend migrated to a Jagex account immediately after it happened (while also resetting her password) and hasn't had any problems since. Hopefully you haven't either. It's also happened to a few people in my clan that did end up losing accounts.
I think you’re right on the data leak. My brothers account got hacked out of nowhere. He has zero friends on the game as he barely plays and when he does it’s with me. None of our friends play. Legit his account is a ghost. Out of nowhere his pass/email was changed without notice and everything taken. I doubt Jagex will do anything because he’s not someone famous in the game but well over 400M was taken and there was zero notification of it.
I've been targeted for 3days by a hacker, passwords kept on changing, found he putted the malicious stuff on my microsoft cloud so my system would always get persisted. No logs found of last logins, jagex denied my request for help about this, twice. Rip SoStronk
My issue with the Jagex account is that if by some change you do get hacked, i assumed they have access to all of your accounts? If I'm wrong please correct me. this is the reason I've been putting if off.
there is also email verification code as well as authenticator verification at the same time to log into a jagex acc where as a regular acc only requieres one or the other
Having a Jagex account was the only thing that stopped my account from being gone forever from the 3rd party linking scam. I was at least able to keep it and try to rebuild. They still are saying they will reach out about it eventually.
This exact thing happened to my main account as well, bank pin was set up, 2fa on my account as well as my email and yet they managed to "import my character" and wipe everything off my account in the matter of minutes. I've been safe since merging to the Jagex launcher...so far. Hopefully this issue will never happen again because this was not the first time my account has been cleaned with years of progress lost.
I had this happen to me, no breach on my emails, had 2 factor authenticator, didn't have jagex accounts back then. Didn't get phished, didn't click on sketchy sites. Was the only time i had money in my inv that I logged out because I had been at house parties.
it can be a Remote access trojan, or something hidden in the boot sector of the account. Scans wont normally pick up on that. Security + Certification over here
It's way more likely your friend has just been an idiot rather than Jagex leaking data including bank pins, every single time it's user error with their own poor security practices
A huge content creator in the Diablo world Darth Microtransaction just got his 21 year old Osrs account hacked and cleaned of all the items that he bought with bonds, had about 5B and he has no clue how it happened. Wonder if that's a similar situation.
So question about requiring to sign into a jagex account every time. I use the actual jagex launcher so maybe this is different. But when I log off the game and close the launcher I can just launch it again and im already signed in. Do i need to actually log off the launcher as well to sign in every time (dumb question but lots of places also just allow you to log manually every week or so or actually manually sign out when you close the sight) because Id like to at least need to re sign in every week or so but was unsure if that's an option.
jagex account is the same as being signed into the jagex launcher with a non jagex account it just has one login credential for all your accounts instead of making you sign in to each account individually on the launcher. either way you are at the one click login phase if you login with any acc to the jagex launcher.
@@MrRsErik idk if I like that tbh, I’d like to at least need to resign in to the launcher every week or so with my double Authenticator. But I guess I’ll just do it manually
I just wanna say it’s a fucking tragedy that it took this mole slipper fiasco for the wider OSRS community to stop being afraid to even mention your name. Happy to see people finally opening up a bit to your hilarious content, which is probably some of the only truly unique content in the OSRS space these days
btw turning off your PC isn't actually turning it off. Unless you turn off hibernate mode, its typically on by default in Windows 10/11. Meaning when your PC is "powered off" it can still be remotely access and turned on via LAN. A proper RAT or keylogger built with the intent of actually working by a black hat will not be detected by any Anti-Virus. Simple reverse engineering and you know exactly what to do to not be detected essentially. Also Jagex could easily take an authentication key for google 2FA from your Jagex account and sell or use that information to get through 2FA. Pretty much any company with 2FA stores a authentication key within your account that talks to google servers. This would mean a data breach also gives them potential access to your google 2FA.
It happened to me. No email compromised. Someone logged in, as verified by Jagex via support, from Venezuela. No answer and no help other than "please do better at securing your account." Laughable
I study cyber security and it could be this: If the 2FA automatically authenticates him than an attacker can change the proxy settings in the user’s browser to send all sessions through an attacker’s machine. This is a type of session hijacking attack. You can also get rootkits that are really stealthy so your friend would need an expert to take a look at his machine. You can 100% get infected from visiting a website, also if an attacker has the IP address and the machine is vulnerable then they can get in that way also.
Unless this guy is running an extremely outdated browser (which typically auto-update these days by default), no, they would still have to manually execute any download. If we take this story at face value, they didn't do this. The only way a drive-by-download would execute is if they were exploiting a browser zero-day to breakout of the browser's sandbox. Do you realise how much they could sell this for on the market? There are much more lucrative ways to make money with such an exploit instead of burning it to steal Runescape gold that has a chance of being detected by Jagex before being sold. Unless this guy is port-forwarding a vulnerable service, something a common person does not do (and if they did would surely check this and rule it out), they are not exploiting his system over the Internet. I mean, the guy might have had RDP/SSH exposed to the Internet, but extremely unlikely. Typically, you can't do shit with a person's IP address outside of a DoS. Unless Jagex does have a breach, most likely way this is happening is MiTM phish, which software 2fa isn't stopping. Or they did in fact download and execute. Could be a session hijack, but again no real way of knowing how this happened if the story is to be believed at face value - you can't alter a user's proxy settings by simply having a user visit your website.
@@darkillusiveof course you can have dirty stuff downloaded by visiting a website, it still needs to be executed. Do you smooth brains not realise how ridiculous the Internet would be if this wasn't the case? Your browser session is in a sandbox... you're going back to the 90s level of browser security.
A lot of people in the chat pretending to know how browsers and the internet works. Simply going to a website cant give you a virus, it can prompt or start a download for one depending on your settings, but the user still has to run it. Even if he did put his details in a phish or downloaded and ran a keylogger you are all ignoring how 2fa was bypassed. regardless of how the account details were obtained there is a definite vulnerability with all the people i hear about getting hacked with 2fa, and jagex needs to investigate.
As someone who used to hack accounts, everything you have said leads me to believe he traded off the items himself to an alt and claimed he was hacked. At this point only Jager can see the it's logged on the account and if it was a different person they could absolutely track the items
They probably used a VPN or somehow mimicked his PC as you don't get asked for 2FA if you're accessing your account from a previously used PC within 30 days or whatever the threshold is.
I recently came back to the game and the PIN on both my main and ironman was gone. 2fa was still enabled. Luckily nothing was gone, even the equipment in my inventory was still in place. I'm really confused about what happened tbh. This is a bit less than a month ago I came back.
This literally just happened to me! Today, I just lost 1.4 bil. Has this been solved @king? This is nuts... I am pretty busted up about this. Sucks, I had the authenticator up and I have a Jagex account and everything do you have any leads on this?! Do you know if Jagex will refund or is it gone?
so a couple things here, one authenticater for jagex is impossible to remove which is why i hope they dont change this because i lost mine but u have a list of back up codes that can be used to bypass the 2fa and use the code to log in instead with one time use each code.i bet thats what happened here the codes are leaked
The thing is if his pc was key logged why would they only go for a osrs account so I don’t think that is the case honestly, either new exploit or data breach that hasn’t been public
@@kreuk13 except if you hacked someones bank pin you could send the money through a network of paypal accoutns and be practically to anonymous for regular police to make any sense of for a few hundred dollars which is probably more than they would get for most rs accounts hacked...
So it's rumored that if will say player (a) buys gold let's say 500. ... whether player (a) dies in a pvp death , bought something from a player, gives a split for an item etc... then eventually jagex can and has removed the 500m from player (b) account. It's been happening with dms , someone buys gold and the winner (innocent person) has received a temp ban and the gold he won from the fight removed. So it could be jagex just removing dirty gold. Question for you though, same thing just happened to a clan mate.. they left all his untradables, all his parchment still on items and left 500m gold ...... hard to say he was hacked when a hack would result in a cleaned account , so your friend condor was his account cleaned or did they leave a fair amount of wealth still on the account ?
I know you like to shit on people for being skeptical, but honestly, I don't trust Jagex accounts at all. I'm very well trained with a background in IT, and I know enough to say that the more convoluted the system is, the more room there is for error/attacks. I like the way my account is set up, I have a strong password, 2fa, bank pin, not linked to RuneLite or Jagex launcher or Steam, I play pretty much mobile only, regular password changes, and I find it hard to believe my account is not secure. Probably more secure than my IRL bank account lol. Changing the way its setup is only gunna open the door for more attacks, providing another new avenue for hackers to access my account. If there's an internal problem with a Jagex employee, who already has access to on-prem servers and account related databases, a Jagex account isn't gunna do squat. Just my 2 cents, but I do appreciate the video highlighting account security in general. Many people, like myself, have put their soul into this stupid game for most of their life, and it would be devistating to lose everything over something so preventable.
do you feel that your password is strong enough knowing that without a jagex account, you don't have case sensitivity available for your password? let alone the ability to use symbols
@@KingCondor That is a valid question, and yes, it is extremely pathetic that symbols and case sensitivity aren't supported by standard runescape accounts. However, when you learn about security, you will find out that the most important factor, above all else, is something called entropy. The more entropy your password has, the harder it is to be cracked. Google the phrase "Password Entropy" and either look at the common meme photo that is associated, or read some relavent articles if you'd like a better understanding. But basically, entropy is related to how many possible different combinations of characters your password can be, based on both the length and the available character set. While our character set IS limited by not allowing caps or symbols, a 28 letter alphabet, plus 10 numbers, combined with 20 available characters of length, makes for a ton of entropy. It's a common misconception that symbols and caps really make much difference to someone's password security, as symbols are typically substituted for similar-looking characters, are often used in very similar ways from user-to-user (ie ending your password with an exclamation point), and all of these substitutions and symbols are often easily overcome by common tools used in password cracking which do exactly that. They will run millions of iterations of the same general terms/words/phrases, and substitute out letters for caps, letters for symbols, and such. They will also make use of password dictionaries, which are massive tables consisting of millions of commonly used words and phrases for passwords, obtained from the data-leaks of people's passwords on the dark web. So a LONG password, which strays from typically used words or phrases, and maybe makes use of some nonsensical terms, is always going to be the most secure. No need for caps or symbols. (edit: though you are right, it would technically help, if used in a smart way) All this to say, if your account gets hacked using these password strategies, I can almost guarantee that it has NOTHING to do with your actual password. A high-entropy password would take a massive super-computer hundreds of years to crack. It just isn't going to happen. If your account gets hacked using a password of this nature, it was not the password that was the problem -- it was either a data breech, a lack of security on the server side, a phished account, a malicious tool on your computer like a key logger / spyware, or social engineering used to overcome security questions.
@@KingCondor A data-breech attack can potentially be avoided by changing your password often. Phishing can be avoided by not being a dumbass. Security questions/social engineering can be avoided by using the same above-mentioned password strategies for your answers, and storing them in an equally-secure password keeper. And malicious tools on your computer can also be avoided by not being a dumbass, as well as running frequent scans and having virus detection software enabled on your machine. You can also take my route, and play mobile only, not use any sort of runescape plug-ins or downloads, and that helps a lot 😁 (edit) - And if it's a hole in Jagex's server security, or employee security, again, you're fucked either way lol. There is a chance that on their end, Jagex stores the new official "Jagex Account" credentials using a safer and more secure method than the previous account credential databases, but I can't really speak to that. I'd just rather not get my account wrapped up in it. Jagex has a tendency to promote all these great new ways of logging in and authenticating your account, and history has shown that doesn't usually end well. Ie, look at the Steam launcher and all of the associated hacks. They like to bypass security to allow a more convenient login process, and that's no bueno. (ps) - I just realized security questions aren't even in use by Jagex anymore, which is good! So we can check that one off the list... "Don't be a dumbass" has now moved even higher up the list of priorities =P
@@KingCondor And again, I'm not trying to discredit anything you said in the video. I think highlighting account security in general is a really important topic that everyone should stay current on, and I'm NOT saying Jagex accounts are a bad thing. I'm sorry my replies were stupid-long, but I hope you managed to read them and that it makes sense. Either way, I love you King ♥ Mole Slippers to the moon 🚀
your massivly mistaken if you think its hard too compromise a machine (Key logger) its easier than its ever been, You just need too click a web link now, and it will latch on too the next legitimate installer you launch.
My (Jagex) account was just cleaned and bank pin changed. Idk how to be sure they couldn't log on again even if i get to reset the pin. 2-steps on everything, Authenticator wasn't disabled.
Main way of hacks is data leaks from random websites. People get your email/password for that website, then try that combo for other shit. Dont use the same password across different things
I figured they would just use a cached file stored in your RS folder. replace the players file with yours... spoof the IP. Now Runelite now thinks it's someone else and it doesn't require a re auth. didn't this happen to twitter like 2 years ago.
on september 5th this also happend to me... granted i am rank 1 gim for chambers and for nex... my computer was also off and the only reason i knew was i logged into my main to do some 3rd age longsword flipping when i first woke up in the morning and saw someone was on my gim acc through the friends list. I did not have a jagex acc at the time and my laptop i play from was turned off all night long and on my bed next to me like the sweaty gamer i am. my password was not changed my authenticator was still on. the only difference between when i got hacked and when your friend got hacked is they did not have access to my bank account. maybe because they didnt hack me right after i logged off and shut my computer down? my email and acc were never shared with anyone and were never typed anywhere on a computer other than the jagex launcher and to make the account. the email and password were completely different from any i had ever used before and specific to this acc.
If you use your old passwords, and the logger is still trying to access auto in then you could get it accessed. I had that happen so I make sure to never use that password again
I would do the pin on login every time even with the same IP just to be safe honestly. They brute force pins too so even with one its not 100% safe. And idk if they were ratted but the only way to defend against it is unplug your internet and find the rat.
I logged into my main after like 2 years my auth and bank pin were still on and somebody had botted like 2300 cg luckily i didn't get banned and they only got 1 enhanced weapon seed lmao. Made a jagex account and had no problems since.
Sounds like a token grab from Jagex Accounts & maybe the tokens show bank pin data. either that or they saw when he logged off, they logged in within the time frame of bank pins resetting from world hops.
I wonder if it could be someone on client side as well. Ive been noticing people saying they have been hacked more since HDOS was released to the jagex launcher
Got hacked like this 3 years ago was before jed got fired from jagex so I am kinda guessing it was him who dissabled my authenticator, pin etc, same situation though, pin, authenticator, on both email and account, and yeah, only started again a few weeks ago lost a few mil on my ironman so yeah, you can guess while I didn't feel like using that acc again
opening a website cant give you a keylogger. you would have to download and run software, or type his information in a fish. even if he did, that doesn't explain how they were able to get past 2fa. There has to be a vulnerability and jagex has to investigate.
@@aarons6935Unless they exploited a zero-day to steal Runescape gold (lol) or the victim was using an extremely outdated browser, no, it cannot happen by simply visiting a website; they would still have to execute the download. This is the kind of exploit you would use against targets such as government officials or CEOs, not Runescape players.
my rs3 account and osrs account are both the same login before emails were possible and been safe for 15 years i dont see a reason to change it now ? and i dont think i should be forced to either
my main account was hacked last week, lost 2.5bill+ my email was changed and account was linked to a jagex account. i was able to recover the account but 2 days after it was recovered, the account is now perma banned for macroing... GG hackers, gg jagex.
how about this.... the guy sold his account to a botter for $$$ gets a ban for botting and tries recovering his own account he sold off .. botters normally buy accounts rather than train it themselves
Lost 7b two weeks ago. They transferred my RS account to a launcher acc lol. Unique email only for OSRS, always careful with links and whatnot. At least I've been going outside, got a promotion, and a new gf. . . I miss OSRS though :(
@@Prominent_Gaming well guess I’ll get a Jagex account then. Only thing holding me back was thinking I was forced to use their version and couldn’t use runelite
Just got hacked this week abd banned for macroing. and my appeal just got denied today.. safe to say im not coming back after thousands of hours wasted
its not shilling you donkey, I'm trying to spread awareness to players and viewers of my community so they don't also fall victim to these hacks, take ya tin foil hat off and try not to be a cringer on youtube comments for once. You don't want to upgrade? so be it, don't come crying to me when your bank gets cleaned
you should have all the other information + your ip address which they have also to recover your account? 2fa shouldnt play a role in recovery process, just a extra layer that someone has to go through to attempt to take your rs account right? @@douganderson7002
swapped with oakdice and unfortunately my long time password was leaked out there, logged out for 10mins cameback hacked, had an authenticator, had an easy bank pin unfortunately, email was fine.
Because hijackers are using the jagex launcher to bypass 2fa linking your account to a jagex account will make it so nobody else can play your runescape character through their launcher unless they login to your jagex account, I understand what you mean though and I don't think it's a leak, people are somehow embedding an official runescape site link with something that instantly sends your account to their launcher and they can now 1 click login to your account.
bruh people have put big bounties on hacking their rs accounts and even provide a bit of info to help with the process, but the hackers never succeed. People who say they didnt have a reason to get hacked are either lying or ignorant
Doesn't matter if you use Jagex account or not, they hack into everything. I recently had mine hacked and lost everything 14b at time of hack. Had bank pin and everything setup. Jagex doesn't care as it keeps people grinding.
Your buddy was probably just stupid and fell for some phising trick without realizing. I don't see how else they would have gotten past the bank pin etc. A leak wouldn't cause this either, since no game stores passwords etc. in clear text. Even with social engineering, his email etc. would be changed.
I fell for a phishing scam many years ago. There is a reason why Jagex says they will not email you directly regarding billing or code of conduct issues. Another possibility are those discord team scams where they convince you to turn on Remote Desktop.
I really am lost on how this account was hacked, the same thing has happened to various players over the past few years, there are more videos to come on this topic but I would love to hear what you guys think about this down below!
With simply having someone’s phone number it is possible to rip all the data on your phone including anything you have saved to you google/apple/Microsoft account that is on your phone. Its possible to clone it etc everything. The jagex account cant really save it. Runescape accounts themselves could be targeted in much simpler ways, but the phone number is really all someone needs if they know what they are doing
Someone hacked a friend of mine, we went through his computer and i mean thoroughly and we didnt find a thing. I think they linked a steam account to his account afterwards.
People need to stop using 3rd party clients just because they suck at the game. I'm pretty sure this is how most of you numb nuts get hacked.
All it takes is to install the wrong plug-in and boom. Why are people so naive?
If you aren't using any client and you log out, you need to automatically re put your pin back in to get into your bank.
I just realised I just blindy follow everything King says.
If he tells me to put in a buy order for 1000 Mole Slippers at 5m each, I'll do so.
If he tells me to sign up to Jagex accounts, I'll sign up before even watching the video.
Praise this man.
Yup. Literally just upgraded the second I saw the title.
Musiq Slayer
The same thing has happened to my main 2 times. Had authenticator & bank pin set up and they still cleaned me. Only thing that makes sense to me is an internal runelite or jagex leak. I won't be convinced of anything else
Found out my mains been hijaked too. Have a jagex account and its gone. Lost. 100s of hours down the drain
Insane man, finished streaming after almost a 6 hour stream, then gets right into editing his videos for his consumers, what a sick lad, keep it bro, love seeing your subscriber count grow after every stream
speaking like youtube int the biggest bussines in the world right
Imagine if mods cherry picked people to lose their bank
I mean it's jagex I wouldn't be surprised
You mean like how Mod Trident targeted Omar?
I think Jagex should also look into doing Phone number authenticators too. So if someone is attempting to get into your account you will get a random Otp in your text and be like ok what dumbass is trying to hack me.
but how do you stop them? I got bruteforced this same way. Got like 6 emails a day about people requesting to reset my password. Emailed jagex, they didn't give a shit. Then they changed my pass, removed my 2fa, removed my pin, and took everything. Jagex's security is shit
SMS 2FA is insecure. For starters, it is unencrypted. Look up SIM Swapping attacks.
Google Authenticate is leaps and bounds better. It is still vulnerable though, as is all virtual MFA.
@@8bitpotheaduse a stronger password that isn't shared across multiple accounts and services. Unless they have an account lockout mechanism, this is your only defence.
i just got hacked 2 weeks ago and they took 3.5b worth of gear off my account. Same thing, through my authenticator and bank pin.
Checked my account and my computer and all of that, no idea how it happened. I still factory reset my computer just to make sure.
I don't want to use the account anymore and don't want to rebuild because I'm scared they still have access somehow.
7b here.
This exact shit happened to me and no one believed me. “It’s impossible to do without removing your 2fa” and so many other things I’m so paranoid to this day
You're correct that getting a keylogger is generally not something that "just happens". There are typically one of two ways:
1. A so-called "drive by" exploit is used. These exploits take advantage in known or unknown vulnerabilities in your browser, possibly in other software (ie: If you run a message app on your laptop someone could message you with one of these exploits"). If you keep your system up to date you are generally not going to run into these.
2. Social engineering. This is just being tricked into running the software (as in, as opposed to "engineering" a technical attack, I "engineer" the attack by using some sort of social trickery). This is easier to do than you think - for example, you might just open a word document and, depending on your version of Word, that can actually execute code without warning (via the Microsoft Word macros feature). Of course you may have just run the executable the normal way as well.
Once the attacker has code execution on the machine keylogging is generally quite straightforward on Windows and Linux. I assume it's not that hard on OSX but I think it may actually be trickier on a modern setup. For Mobile I frankly don't know.
I think (1) is not super likely to be the case just because it's relatively expensive.
The interesting thing here is the Bank PIN, by far. We can assume that the password was leaked in any number of ways. For one thing, as far as I know, the older Runescape accounts have absolute dogshit in terms of password protection. I wouldn't be surprised to find that they're really easy to bruteforce into if the password isn't *very* strong. If he reused his password anywhere, or if he had any recovery questions (seriously, just set your recovery questions to a bunch of garbage - never put real information in there), that increases the likelihood. Even if he just used a *similar* password on another site it may have caused issues.
But again, this leaves the pin. Couple of things.
1. Does he have the setting that requires the PIN after every log-in? Otherwise it is saved for 10 minutes. The attack here is obvious - if the attacker can log into the account they just have to try to do it while you're logged in and wait for you to log out.
2. The PIN may not have been random. Normally you'd have a 50% chance of guessing a perfectly random pin after about 5,000 tries. That's not really practical unless PIN failures can be tricked into not locking your bank. But I'd bet many people pick a specific year, for example the year that their account was created or a birth year. Was their pin random or did it have meaning?
The authenticator is another big concern. Brute forcing an authenticator is perhaps possible in theory but practically I don't think it's likely. Certainly I would hope that they rate limit attempts, and detecting a bruteforce that requires ~500,000 attempts per minute for a 50% success rate seems like something any organization would notice even if they weren't looking for it (like, your ops team would notice before your sec team). So the question becomes - how did the attacker do it?
You asked how a keylogger could bypass the authenticator, which is a good question. *Generally* the way an authenticator (like the one used with Jagex) works is that a "cookie" is stored when you successfully auth. This means you don't have to use the authenticator again on your next log-in and the cookie will be valid for 30 days. I don't know more details about what Jagex has done here but an attacker with either an XSS vulnerability on the runescape website *or* code execution on the laptop would basically be able to bypass the authenticator no problem (the former isn't likely IMO for various reasons so I won't expand much more on what that would look like). Alternatively, the authentication method (called TOTP) that Jagex uses is phishable - the attacker simply asks for the token. It's actually not a very useful mechanism for that reason, but it does prevent an attacker from just logging in with a password if you reused it on another site. 2FA is largely oversold in terms of its protection unless you're using a hardware key like a Yubikey or some other newer techniques. Stuff like SMS 2FA or TOTP are really quite bad. I noticed someone said "you can't leak authenticator" and you said "yeah for 30 seconds" - just to be clear, 30 seconds is more than enough since if that's the last step for the attacker *they're in* and they can maintain that access for ~30 days.
To be honest, I think there is genuinely a good chance that they either have malware on their laptop that they logged in with or their mobile device (esp if they log in using Mobile). Given their use of authenticator I think that's the most likely option. Detecting that sort of thing after the fact can be really hard - your antivirus really might not be able to find it.
There is a chance that Jagex had a leak. It's always possible. Attackers may have information and rather than doing a mass attack they just target players who they see hanging around with a ton of GP. If that's the case the only defense is really to change your password and PIN - not bad ideas, frankly, as the cost is pretty low even if the chance of a leak isn't huge. This assumes that the attackers no longer have access, however, which, who knows.
My suggestion is that your friend backs up any important files, rotates passwords for important accounts like email, runescape, etc, factory resets his phone and his laptop, and is careful to only install apps and browser extensions that he can trust. Unfortunately it's just hard to say what happened here without a lot more information. It's perhaps worth Jagex opening an investigation as they should have far better logs about any accesses.
Personally I don't have a Jagex account because I'm a linux user and it looks like a pain in the ass to do it. But Jagex accounts also appear to be safer, from what I've seen - the main thing is that you can "Login with Google", which basically means that Jagex doesn't even *have* a password or authentication materials beyond the Authenticator app, they literally just defer to Google to say whether you are actually you. Google is very good at this. Using this approach means you're less likely to get phished and your security relies less on Jagex. In theory if the attacker doesn't have full access to their network but perhaps, just as an example, they have coerced an engineer into giving them a couple of passwords or whatever, a Jagex account would protect you. Keep in mind that I'm playing kind of fast and loose here, I know very little about Jagex infrastructure or Jagex Accounts other than that I tried to make one for a couple extra bank slots and then realized it would fuck me as a Linux user.
Source: Computer security professional. If you have any clarifying questions feel free to reply.
A lot of people claim being hacked after RWTing then they claim oh I was hacked and get the account back
16 years of playing and ive never been hacked
**knock on wood** I hope
I'm not sure a data leak from Jagex is enough. They would need some serious vulnerabilities (such as session hijacking as others have mentioned) to bypass the 2fa. Our passwords are (typically) hashed, so even if there was a data leak with users accounts information, they would either have to take the dictionary offline and brute force it, or use legit account recovery processes, but seeing as how no one is getting those emails, it's most likely not that. That being said, based on what Jagex is advertising with the new Jagex accounts, it does sound like they have employed slow-hashing, which is great mitigation against brute force attacks. It slows down the amount of accounts hackers can get considerably and that alone is a good enough reason to switch.
The session token thing is just what your client uses to track that you are logged in, basically everything uses them because if they didn't you could never stay logged in to anything. While it's unlikely, the way this would work with OSRS is that someone would get access to the session token your buddy was using when he was logged in, and then re-use the same token to make the game think it's the same session as the previous one. This doesn't need the original PC to be on at the time of the account take over, just on when the person was stealing the token.
Seems unlikely someone would do that for some randoms OSRS account, it's not likely something your random script kid would be capable of, so if this *is* how he was hacked, it was targeted as opposed to random, whether it's about who your friend is IRL, or maybe extreme wealth on the account. Overall, don't think this is what happened, just that it's possible.
i thought this also as best buy was repairing one of my computers when this happend to me and was the only explanation that someone got access while it was in their posession and copied the token from one computer and input it into their own client at home later however with this happening to others aswell i can rule out the probability of best buy having a private information leak.
does anyone think that its harder to get your account hacked if your login email was mistyped at the account creation and was changed to be correct after the fact.
theres a setting where bank pin is only needed after 15 mins after log out, if you log out and hacker logs in instantly, no bank pin needed if certain settings are used. basically you can log out, then back in within the time and bank just opens without pin.
Only from the same ip/device.
Set it to require every log / world switch, yes it's inconvenient but it's the safest option
@@UndeadShadowHunter thats the setting i use.-
@@Josh-sm6td device mirroring would concur this....
This 👆 It's a bit less convenient, but at least they can't get into your bank unless they also have your pin.
just doesnt let me make one
every time I enter all my details say "YOU HAVE BEEN BLOCKED" on the launcher and doesnt let me upgrade to a jagex account
After all that discussion, did anyone mention the possibility of a close friend committing the hack? Maybe I missed it if anyone suggested it. I know people want to trust their friends, but there are some dodgy people out there. I have on a few occasions trusted a friend on my account. I am a very secure person as well. If me, being the person I am, trusted a friend to be on my account once or twice, is it possible at all that this guy did the same thing and perhaps trusted the wrong person? Idk the details of how a friend would do it, but just an idea.
probably insider threats, someone from jagex is feeding accs. We've already had a trident and that other dude from ROT, so this wouldn't be far off. Theres also social engineering attacks, hackers eventually access the perimeter and then act as a silent reader or even leave backdoors in there. This game is old as hell, I wouldn't be surprised if people would do this kinda stuff
Really makes you think don’t it? Jagex has a terrible botting problem and it’s a private company. Who’s to say someone who works there isn’t setting stuff up like this on the back end. Embezzlement is a real crime that effects many other companies.
@@ownage11445 problem is video game companies are prone to these types of attacks, cod/wow/new world etc all of em have this stuff not just runescape. The difference between runescape and other games is that this game actually takes action on gold buyers/sellers. I could be on new world and buy 300k gold no problem and not be banned, in OSRS/RS3 thats different. Botting is always going to be a concern because that happens everywhere, think jagex is the only ones that actually make the attempt to proactively ban them. You also have this game thats run on a specific client that uses no form of anti-cheating detection client. it's all built into the game and monitored like that. If they simply just added a couple more security features that would pretty much solve most of their account hack problems. They also might not be fully following GDPR regulations either if this is happening often. If a players account is hacked, that essentially is their PII data, first/late/email/address/ CC information / telephone so they can be found violating these policies for not properly securing their customer data.
Not siding with jagex on this either, took me 10 years to recover my childhood account, and i had to convince a reddit jmod by providing extensive proof. Not all employees are bad but theres usually 1-2 in a batch.
This happened to a friend of mine recently. I saw her log in for the first time in 6 months, and only for a minute. I messaged her on discord and she said that wasn't her. She logged in to find her bank pin was trying to be reset. They somehow got in passed her two factor. She works in cyber security and is always extremely careful with her credentials for anything.
this exact thing happend to me on september 5th on the rank 1 gim for nex and chambers. nothing was changed but i saw my own gim acc online right after turning on my computer and logging in my main to do a few flips at the ge before getting to the gim grind for the day.
@@MrRsErik My friend migrated to a Jagex account immediately after it happened (while also resetting her password) and hasn't had any problems since. Hopefully you haven't either.
It's also happened to a few people in my clan that did end up losing accounts.
Same thing happened to my friend’s account. Logged in for a minute or so and logged in. Account gone. I immediately changed to a jagex account
Thanks for the info I pulled the trigger and got jagex launcher on my account
As someone who doesn't have a jagex account I'm going to get one. Thanks!
thanks for the upload! been looking forward to this one
Just imagine Jagex leaking info to push people to a Jagex account. To say "see no hacking here". Let the conspiracy begin.
Had my account banned and appeal denied after I got banned, had thousands of hours and now I have no idea what to do
Yeah same! Back when trident was mod too 😂
ya boy just clicked on some shit he shouldnt have
Meanwhile here I am still logging in with my rsn and a password I haven't changed in ages.
1 click login alone is enough to make me a jagex account believer. cant believe i played so long without one
the jagex launcher allowed 1 click login without a jagex account but okay...
I think you’re right on the data leak. My brothers account got hacked out of nowhere. He has zero friends on the game as he barely plays and when he does it’s with me. None of our friends play. Legit his account is a ghost. Out of nowhere his pass/email was changed without notice and everything taken. I doubt Jagex will do anything because he’s not someone famous in the game but well over 400M was taken and there was zero notification of it.
I've been targeted for 3days by a hacker, passwords kept on changing, found he putted the malicious stuff on my microsoft cloud so my system would always get persisted. No logs found of last logins, jagex denied my request for help about this, twice. Rip SoStronk
Watching the King blow glass while I blow glass. This some good shit.
My issue with the Jagex account is that if by some change you do get hacked, i assumed they have access to all of your accounts? If I'm wrong please correct me. this is the reason I've been putting if off.
this is correct however your 10 year old login credentials are much more likely to be leaked than login credentials you created 1 week ago
there is also email verification code as well as authenticator verification at the same time to log into a jagex acc where as a regular acc only requieres one or the other
@@MrRsErik thank you for the info
Having a Jagex account was the only thing that stopped my account from being gone forever from the 3rd party linking scam. I was at least able to keep it and try to rebuild. They still are saying they will reach out about it eventually.
This exact thing happened to my main account as well, bank pin was set up, 2fa on my account as well as my email and yet they managed to "import my character" and wipe everything off my account in the matter of minutes. I've been safe since merging to the Jagex launcher...so far. Hopefully this issue will never happen again because this was not the first time my account has been cleaned with years of progress lost.
I had this happen to me, no breach on my emails, had 2 factor authenticator, didn't have jagex accounts back then.
Didn't get phished, didn't click on sketchy sites.
Was the only time i had money in my inv that I logged out because I had been at house parties.
it can be a Remote access trojan, or something hidden in the boot sector of the account. Scans wont normally pick up on that.
Security + Certification over here
this
Can you suggest a way for us plebs to check on this sort of thing? I cant lose my account i would be pissed
@@DickiMoltisantidon’t open suspicious emails, don’t use suspicious plugins, and stop watching pron on your computer.
Serious question that I'd love an anwser to ... if you get banned on a character linked to ur jagex acc do all the characters get banned ?🎉
It's way more likely your friend has just been an idiot rather than Jagex leaking data including bank pins, every single time it's user error with their own poor security practices
you think they disabled 2fa to download runescape gold generator? or what?
A huge content creator in the Diablo world Darth Microtransaction just got his 21 year old Osrs account hacked and cleaned of all the items that he bought with bonds, had about 5B and he has no clue how it happened. Wonder if that's a similar situation.
He didnt even have auth
@@mydogatethebones oh I couldn’t remember…that makes sense
So question about requiring to sign into a jagex account every time. I use the actual jagex launcher so maybe this is different. But when I log off the game and close the launcher I can just launch it again and im already signed in. Do i need to actually log off the launcher as well to sign in every time (dumb question but lots of places also just allow you to log manually every week or so or actually manually sign out when you close the sight) because Id like to at least need to re sign in every week or so but was unsure if that's an option.
jagex account is the same as being signed into the jagex launcher with a non jagex account it just has one login credential for all your accounts instead of making you sign in to each account individually on the launcher. either way you are at the one click login phase if you login with any acc to the jagex launcher.
@@MrRsErik idk if I like that tbh, I’d like to at least need to resign in to the launcher every week or so with my double Authenticator. But I guess I’ll just do it manually
I just wanna say it’s a fucking tragedy that it took this mole slipper fiasco for the wider OSRS community to stop being afraid to even mention your name. Happy to see people finally opening up a bit to your hilarious content, which is probably some of the only truly unique content in the OSRS space these days
I have a Jagex account and double authenticator, and I still get e-mails from Jagex of pasword reset attempts.
btw turning off your PC isn't actually turning it off. Unless you turn off hibernate mode, its typically on by default in Windows 10/11. Meaning when your PC is "powered off" it can still be remotely access and turned on via LAN.
A proper RAT or keylogger built with the intent of actually working by a black hat will not be detected by any Anti-Virus. Simple reverse engineering and you know exactly what to do to not be detected essentially.
Also Jagex could easily take an authentication key for google 2FA from your Jagex account and sell or use that information to get through 2FA. Pretty much any company with 2FA stores a authentication key within your account that talks to google servers. This would mean a data breach also gives them potential access to your google 2FA.
This is why I have an email for my main and a pc for RuneScape that nothing else is on.
Lolll, a dedicated runescape pc. True gamer here, I love it 😂♥
@@kaylor87 mandatory haha
It happened to me. No email compromised. Someone logged in, as verified by Jagex via support, from Venezuela. No answer and no help other than "please do better at securing your account."
Laughable
I study cyber security and it could be this: If the 2FA automatically authenticates him than an attacker can change the proxy settings in the user’s browser to send all sessions through an attacker’s machine. This is a type of session hijacking attack. You can also get rootkits that are really stealthy so your friend would need an expert to take a look at his machine. You can 100% get infected from visiting a website, also if an attacker has the IP address and the machine is vulnerable then they can get in that way also.
Unless this guy is running an extremely outdated browser (which typically auto-update these days by default), no, they would still have to manually execute any download. If we take this story at face value, they didn't do this.
The only way a drive-by-download would execute is if they were exploiting a browser zero-day to breakout of the browser's sandbox. Do you realise how much they could sell this for on the market? There are much more lucrative ways to make money with such an exploit instead of burning it to steal Runescape gold that has a chance of being detected by Jagex before being sold.
Unless this guy is port-forwarding a vulnerable service, something a common person does not do (and if they did would surely check this and rule it out), they are not exploiting his system over the Internet. I mean, the guy might have had RDP/SSH exposed to the Internet, but extremely unlikely. Typically, you can't do shit with a person's IP address outside of a DoS.
Unless Jagex does have a breach, most likely way this is happening is MiTM phish, which software 2fa isn't stopping. Or they did in fact download and execute. Could be a session hijack, but again no real way of knowing how this happened if the story is to be believed at face value - you can't alter a user's proxy settings by simply having a user visit your website.
1000% Thinking you can't get all sorts of nasty shit on your comp from just visiting a site is some heavy dose copium.
@@darkillusiveof course you can have dirty stuff downloaded by visiting a website, it still needs to be executed. Do you smooth brains not realise how ridiculous the Internet would be if this wasn't the case? Your browser session is in a sandbox... you're going back to the 90s level of browser security.
I get confused with all this stuff, can I still use Runelite with a Jagex account or would I have to use OG client?
The Jagex account client will open a Runelite session for you or whatever client you’re using.
A lot of people in the chat pretending to know how browsers and the internet works. Simply going to a website cant give you a virus, it can prompt or start a download for one depending on your settings, but the user still has to run it. Even if he did put his details in a phish or downloaded and ran a keylogger you are all ignoring how 2fa was bypassed. regardless of how the account details were obtained there is a definite vulnerability with all the people i hear about getting hacked with 2fa, and jagex needs to investigate.
As someone who used to hack accounts, everything you have said leads me to believe he traded off the items himself to an alt and claimed he was hacked. At this point only Jager can see the it's logged on the account and if it was a different person they could absolutely track the items
They probably used a VPN or somehow mimicked his PC as you don't get asked for 2FA if you're accessing your account from a previously used PC within 30 days or whatever the threshold is.
this would probably be a lot easier to do with a phone spoof of some kind
phishing links can easily bypass all that, this condor guy has no clue what he talking about lol
I recently came back to the game and the PIN on both my main and ironman was gone. 2fa was still enabled. Luckily nothing was gone, even the equipment in my inventory was still in place. I'm really confused about what happened tbh. This is a bit less than a month ago I came back.
This literally just happened to me! Today, I just lost 1.4 bil. Has this been solved @king? This is nuts... I am pretty busted up about this. Sucks, I had the authenticator up and I have a Jagex account and everything do you have any leads on this?! Do you know if Jagex will refund or is it gone?
The fact that normal log-in doesn't have case sensitive passwords is insane. For the longest time I thought it did and was using caps
so a couple things here, one authenticater for jagex is impossible to remove which is why i hope they dont change this because i lost mine but u have a list of back up codes that can be used to bypass the 2fa and use the code to log in instead with one time use each code.i bet thats what happened here the codes are leaked
this actually is the first thing someone has said that makes a bit of sense ty for input.
The thing is if his pc was key logged why would they only go for a osrs account so I don’t think that is the case honestly, either new exploit or data breach that hasn’t been public
because the police won't investigate hacking an OSRS account; they might come down a little harder when you steal his IRL bank pin :)
@@kreuk13 except if you hacked someones bank pin you could send the money through a network of paypal accoutns and be practically to anonymous for regular police to make any sense of for a few hundred dollars which is probably more than they would get for most rs accounts hacked...
So it's rumored that if will say player (a) buys gold let's say 500. ... whether player (a) dies in a pvp death , bought something from a player, gives a split for an item etc... then eventually jagex can and has removed the 500m from player (b) account. It's been happening with dms , someone buys gold and the winner (innocent person) has received a temp ban and the gold he won from the fight removed. So it could be jagex just removing dirty gold. Question for you though, same thing just happened to a clan mate.. they left all his untradables, all his parchment still on items and left 500m gold ...... hard to say he was hacked when a hack would result in a cleaned account , so your friend condor was his account cleaned or did they leave a fair amount of wealth still on the account ?
I know you like to shit on people for being skeptical, but honestly, I don't trust Jagex accounts at all. I'm very well trained with a background in IT, and I know enough to say that the more convoluted the system is, the more room there is for error/attacks. I like the way my account is set up, I have a strong password, 2fa, bank pin, not linked to RuneLite or Jagex launcher or Steam, I play pretty much mobile only, regular password changes, and I find it hard to believe my account is not secure. Probably more secure than my IRL bank account lol. Changing the way its setup is only gunna open the door for more attacks, providing another new avenue for hackers to access my account. If there's an internal problem with a Jagex employee, who already has access to on-prem servers and account related databases, a Jagex account isn't gunna do squat. Just my 2 cents, but I do appreciate the video highlighting account security in general. Many people, like myself, have put their soul into this stupid game for most of their life, and it would be devistating to lose everything over something so preventable.
do you feel that your password is strong enough knowing that without a jagex account, you don't have case sensitivity available for your password? let alone the ability to use symbols
@@KingCondor That is a valid question, and yes, it is extremely pathetic that symbols and case sensitivity aren't supported by standard runescape accounts. However, when you learn about security, you will find out that the most important factor, above all else, is something called entropy. The more entropy your password has, the harder it is to be cracked.
Google the phrase "Password Entropy" and either look at the common meme photo that is associated, or read some relavent articles if you'd like a better understanding. But basically, entropy is related to how many possible different combinations of characters your password can be, based on both the length and the available character set. While our character set IS limited by not allowing caps or symbols, a 28 letter alphabet, plus 10 numbers, combined with 20 available characters of length, makes for a ton of entropy.
It's a common misconception that symbols and caps really make much difference to someone's password security, as symbols are typically substituted for similar-looking characters, are often used in very similar ways from user-to-user (ie ending your password with an exclamation point), and all of these substitutions and symbols are often easily overcome by common tools used in password cracking which do exactly that. They will run millions of iterations of the same general terms/words/phrases, and substitute out letters for caps, letters for symbols, and such. They will also make use of password dictionaries, which are massive tables consisting of millions of commonly used words and phrases for passwords, obtained from the data-leaks of people's passwords on the dark web. So a LONG password, which strays from typically used words or phrases, and maybe makes use of some nonsensical terms, is always going to be the most secure. No need for caps or symbols. (edit: though you are right, it would technically help, if used in a smart way)
All this to say, if your account gets hacked using these password strategies, I can almost guarantee that it has NOTHING to do with your actual password. A high-entropy password would take a massive super-computer hundreds of years to crack. It just isn't going to happen. If your account gets hacked using a password of this nature, it was not the password that was the problem -- it was either a data breech, a lack of security on the server side, a phished account, a malicious tool on your computer like a key logger / spyware, or social engineering used to overcome security questions.
@@KingCondor A data-breech attack can potentially be avoided by changing your password often. Phishing can be avoided by not being a dumbass. Security questions/social engineering can be avoided by using the same above-mentioned password strategies for your answers, and storing them in an equally-secure password keeper. And malicious tools on your computer can also be avoided by not being a dumbass, as well as running frequent scans and having virus detection software enabled on your machine. You can also take my route, and play mobile only, not use any sort of runescape plug-ins or downloads, and that helps a lot 😁
(edit) - And if it's a hole in Jagex's server security, or employee security, again, you're fucked either way lol. There is a chance that on their end, Jagex stores the new official "Jagex Account" credentials using a safer and more secure method than the previous account credential databases, but I can't really speak to that. I'd just rather not get my account wrapped up in it. Jagex has a tendency to promote all these great new ways of logging in and authenticating your account, and history has shown that doesn't usually end well. Ie, look at the Steam launcher and all of the associated hacks. They like to bypass security to allow a more convenient login process, and that's no bueno.
(ps) - I just realized security questions aren't even in use by Jagex anymore, which is good! So we can check that one off the list... "Don't be a dumbass" has now moved even higher up the list of priorities =P
@@KingCondor And again, I'm not trying to discredit anything you said in the video. I think highlighting account security in general is a really important topic that everyone should stay current on, and I'm NOT saying Jagex accounts are a bad thing. I'm sorry my replies were stupid-long, but I hope you managed to read them and that it makes sense. Either way, I love you King ♥ Mole Slippers to the moon 🚀
your massivly mistaken if you think its hard too compromise a machine (Key logger) its easier than its ever been, You just need too click a web link now, and it will latch on too the next legitimate installer you launch.
Good shout. Even if it's some dud being careless and clicking a link that ran an exe, or some internal affair, still worth upgrading security.
My (Jagex) account was just cleaned and bank pin changed. Idk how to be sure they couldn't log on again even if i get to reset the pin.
2-steps on everything, Authenticator wasn't disabled.
Main way of hacks is data leaks from random websites. People get your email/password for that website, then try that combo for other shit. Dont use the same password across different things
Could it be runelite/compromised plug-in?
All of them are public i am sure someone would find the compramised code
pretty much impossible unless plugins were installed from somewhere other than the plugin hub
I figured they would just use a cached file stored in your RS folder. replace the players file with yours... spoof the IP. Now Runelite now thinks it's someone else and it doesn't require a re auth.
didn't this happen to twitter like 2 years ago.
on september 5th this also happend to me... granted i am rank 1 gim for chambers and for nex... my computer was also off and the only reason i knew was i logged into my main to do some 3rd age longsword flipping when i first woke up in the morning and saw someone was on my gim acc through the friends list. I did not have a jagex acc at the time and my laptop i play from was turned off all night long and on my bed next to me like the sweaty gamer i am. my password was not changed my authenticator was still on. the only difference between when i got hacked and when your friend got hacked is they did not have access to my bank account. maybe because they didnt hack me right after i logged off and shut my computer down? my email and acc were never shared with anyone and were never typed anywhere on a computer other than the jagex launcher and to make the account. the email and password were completely different from any i had ever used before and specific to this acc.
If you use your old passwords, and the logger is still trying to access auto in then you could get it accessed. I had that happen so I make sure to never use that password again
I would do the pin on login every time even with the same IP just to be safe honestly. They brute force pins too so even with one its not 100% safe.
And idk if they were ratted but the only way to defend against it is unplug your internet and find the rat.
I logged into my main after like 2 years my auth and bank pin were still on and somebody had botted like 2300 cg luckily i didn't get banned and they only got 1 enhanced weapon seed lmao. Made a jagex account and had no problems since.
Key loggers can be installed remotely, and it can be phished through the site. But this is strange
Blows my mind that in 2023 people still aren't using 2fa...It's been around for decades now cmon people. Secure your shit.
2fa is easily bypassed
yh deffo get a jagex account but you do need a jagex launcher to play then but its worth it u can just launch runelite with the jagex launcher anyway
Sounds like a token grab from Jagex Accounts & maybe the tokens show bank pin data. either that or they saw when he logged off, they logged in within the time frame of bank pins resetting from world hops.
I wonder if it could be someone on client side as well. Ive been noticing people saying they have been hacked more since HDOS was released to the jagex launcher
Got hacked like this 3 years ago
was before jed got fired from jagex so I am kinda guessing it was him who dissabled my authenticator, pin etc, same situation though, pin, authenticator, on both email and account, and yeah, only started again a few weeks ago
lost a few mil on my ironman so yeah, you can guess while I didn't feel like using that acc again
Ahkka plug in is a new one theyre doing at ToA, get the word out
he had to have gone to the site
opening a website cant give you a keylogger. you would have to download and run software, or type his information in a fish.
even if he did, that doesn't explain how they were able to get past 2fa. There has to be a vulnerability and jagex has to investigate.
Opening a website can 100% give you a keylogger.@@SoftBreadSoft
@@SoftBreadSoft It can happen.
@@aarons6935Unless they exploited a zero-day to steal Runescape gold (lol) or the victim was using an extremely outdated browser, no, it cannot happen by simply visiting a website; they would still have to execute the download. This is the kind of exploit you would use against targets such as government officials or CEOs, not Runescape players.
@@aarons6935 how?
my rs3 account and osrs account are both the same login before emails were possible and been safe for 15 years i dont see a reason to change it now ? and i dont think i should be forced to either
Jagex has a corrupt problem over the years another mod Jed situation perhaps
if jamflex officially supports linux, i'll do it. otherwise if my account gets compromised i'll go back to playing EvE, lmao.
Odds are your friend used services or got RATted
Exactly
my main account was hacked last week, lost 2.5bill+ my email was changed and account was linked to a jagex account. i was able to recover the account but 2 days after it was recovered, the account is now perma banned for macroing... GG hackers, gg jagex.
Upgraded my account, thanks
how about this.... the guy sold his account to a botter for $$$ gets a ban for botting and tries recovering his own account he sold off .. botters normally buy accounts rather than train it themselves
Lost 7b two weeks ago. They transferred my RS account to a launcher acc lol. Unique email only for OSRS, always careful with links and whatnot. At least I've been going outside, got a promotion, and a new gf. . . I miss OSRS though :(
At this point players who aren't using Jagex Accounts are just using their accounts to Bot..
Did you say runelite can be loaded thru the Jagex launcher???
Yup just downloaded it and launched it through the launcher. Looks pretty official.
@@Prominent_Gaming well guess I’ll get a Jagex account then. Only thing holding me back was thinking I was forced to use their version and couldn’t use runelite
Just got hacked this week abd banned for macroing. and my appeal just got denied today.. safe to say im not coming back after thousands of hours wasted
The shilling for the jagex account is insane, is there any concrete proof they are safer?
its not shilling you donkey, I'm trying to spread awareness to players and viewers of my community so they don't also fall victim to these hacks, take ya tin foil hat off and try not to be a cringer on youtube comments for once. You don't want to upgrade? so be it, don't come crying to me when your bank gets cleaned
@@KingCondorwish this vid came out a month ago my acc goot poofed last week and ban appeal was denied
And what if it is a RuneScape data leak, what does having a RuneScape account have to do with it? If it’s a leak that would be a leak also
you should have all the other information + your ip address which they have also to recover your account? 2fa shouldnt play a role in recovery process, just a extra layer that someone has to go through to attempt to take your rs account right?
@@douganderson7002
swapped with oakdice and unfortunately my long time password was leaked out there, logged out for 10mins cameback hacked, had an authenticator, had an easy bank pin unfortunately, email was fine.
Jagex is the one hacking accounts to get people to switch over to a Jagex account
Popular D4 content creator / streamer Darth Microtransaction was also hacked very recently for bills he just made a vid about it today
This also why you don’t play osrs on steam. Also the reason any time I log out I have to re enter my bank pin
Same here
If it is a Jagex leak how will having a Jagex account help lol?
Because hijackers are using the jagex launcher to bypass 2fa linking your account to a jagex account will make it so nobody else can play your runescape character through their launcher unless they login to your jagex account, I understand what you mean though and I don't think it's a leak, people are somehow embedding an official runescape site link with something that instantly sends your account to their launcher and they can now 1 click login to your account.
finnally took your advice... im now jagex'd acounnted
bruh people have put big bounties on hacking their rs accounts and even provide a bit of info to help with the process, but the hackers never succeed. People who say they didnt have a reason to get hacked are either lying or ignorant
Doesn't matter if you use Jagex account or not, they hack into everything. I recently had mine hacked and lost everything 14b at time of hack. Had bank pin and everything setup. Jagex doesn't care as it keeps people grinding.
Your buddy was probably just stupid and fell for some phising trick without realizing. I don't see how else they would have gotten past the bank pin etc. A leak wouldn't cause this either, since no game stores passwords etc. in clear text. Even with social engineering, his email etc. would be changed.
I fell for a phishing scam many years ago. There is a reason why Jagex says they will not email you directly regarding billing or code of conduct issues. Another possibility are those discord team scams where they convince you to turn on Remote Desktop.
Friend just had this happen on his RS3 account.
If someone got control of his pc with a remote program they mightve been able to bypass everything.
peer 2 peer network once connected to discord voice chat makes it very easy to get keylogged
Should people Change PW and pin every so often to confuse the crooks?