Jagex Accounts NEED To Be Used To Prevent Getting Hacked in Oldschool Runescape

I really am lost on how this account was hacked, the same thing has happened to various players over the past few years, there are more videos to come on this topic but I would love to hear what you guys think about this down below!

I just realised I just blindy follow everything King says.
If he tells me to put in a buy order for 1000 Mole Slippers at 5m each, I'll do so.
If he tells me to sign up to Jagex accounts, I'll sign up before even watching the video.
Praise this man.

The same thing has happened to my main 2 times. Had authenticator & bank pin set up and they still cleaned me. Only thing that makes sense to me is an internal runelite or jagex leak. I won't be convinced of anything else

This exact shit happened to me and no one believed me. “It’s impossible to do without removing your 2fa” and so many other things I’m so paranoid to this day

i just got hacked 2 weeks ago and they took 3.5b worth of gear off my account. Same thing, through my authenticator and bank pin.
Checked my account and my computer and all of that, no idea how it happened. I still factory reset my computer just to make sure.
I don't want to use the account anymore and don't want to rebuild because I'm scared they still have access somehow.

I think Jagex should also look into doing Phone number authenticators too. So if someone is attempting to get into your account you will get a random Otp in your text and be like ok what dumbass is trying to hack me.

Insane man, finished streaming after almost a 6 hour stream, then gets right into editing his videos for his consumers, what a sick lad, keep it bro, love seeing your subscriber count grow after every stream

Imagine if mods cherry picked people to lose their bank

You're correct that getting a keylogger is generally not something that "just happens". There are typically one of two ways:
1. A so-called "drive by" exploit is used. These exploits take advantage in known or unknown vulnerabilities in your browser, possibly in other software (ie: If you run a message app on your laptop someone could message you with one of these exploits"). If you keep your system up to date you are generally not going to run into these.
2. Social engineering. This is just being tricked into running the software (as in, as opposed to "engineering" a technical attack, I "engineer" the attack by using some sort of social trickery). This is easier to do than you think - for example, you might just open a word document and, depending on your version of Word, that can actually execute code without warning (via the Microsoft Word macros feature). Of course you may have just run the executable the normal way as well.
Once the attacker has code execution on the machine keylogging is generally quite straightforward on Windows and Linux. I assume it's not that hard on OSX but I think it may actually be trickier on a modern setup. For Mobile I frankly don't know.
I think (1) is not super likely to be the case just because it's relatively expensive.
The interesting thing here is the Bank PIN, by far. We can assume that the password was leaked in any number of ways. For one thing, as far as I know, the older Runescape accounts have absolute dogshit in terms of password protection. I wouldn't be surprised to find that they're really easy to bruteforce into if the password isn't *very* strong. If he reused his password anywhere, or if he had any recovery questions (seriously, just set your recovery questions to a bunch of garbage - never put real information in there), that increases the likelihood. Even if he just used a *similar* password on another site it may have caused issues.
But again, this leaves the pin. Couple of things.
1. Does he have the setting that requires the PIN after every log-in? Otherwise it is saved for 10 minutes. The attack here is obvious - if the attacker can log into the account they just have to try to do it while you're logged in and wait for you to log out.
2. The PIN may not have been random. Normally you'd have a 50% chance of guessing a perfectly random pin after about 5,000 tries. That's not really practical unless PIN failures can be tricked into not locking your bank. But I'd bet many people pick a specific year, for example the year that their account was created or a birth year. Was their pin random or did it have meaning?
The authenticator is another big concern. Brute forcing an authenticator is perhaps possible in theory but practically I don't think it's likely. Certainly I would hope that they rate limit attempts, and detecting a bruteforce that requires ~500,000 attempts per minute for a 50% success rate seems like something any organization would notice even if they weren't looking for it (like, your ops team would notice before your sec team). So the question becomes - how did the attacker do it?
You asked how a keylogger could bypass the authenticator, which is a good question. *Generally* the way an authenticator (like the one used with Jagex) works is that a "cookie" is stored when you successfully auth. This means you don't have to use the authenticator again on your next log-in and the cookie will be valid for 30 days. I don't know more details about what Jagex has done here but an attacker with either an XSS vulnerability on the runescape website *or* code execution on the laptop would basically be able to bypass the authenticator no problem (the former isn't likely IMO for various reasons so I won't expand much more on what that would look like). Alternatively, the authentication method (called TOTP) that Jagex uses is phishable - the attacker simply asks for the token. It's actually not a very useful mechanism for that reason, but it does prevent an attacker from just logging in with a password if you reused it on another site. 2FA is largely oversold in terms of its protection unless you're using a hardware key like a Yubikey or some other newer techniques. Stuff like SMS 2FA or TOTP are really quite bad. I noticed someone said "you can't leak authenticator" and you said "yeah for 30 seconds" - just to be clear, 30 seconds is more than enough since if that's the last step for the attacker *they're in* and they can maintain that access for ~30 days.
To be honest, I think there is genuinely a good chance that they either have malware on their laptop that they logged in with or their mobile device (esp if they log in using Mobile). Given their use of authenticator I think that's the most likely option. Detecting that sort of thing after the fact can be really hard - your antivirus really might not be able to find it.
There is a chance that Jagex had a leak. It's always possible. Attackers may have information and rather than doing a mass attack they just target players who they see hanging around with a ton of GP. If that's the case the only defense is really to change your password and PIN - not bad ideas, frankly, as the cost is pretty low even if the chance of a leak isn't huge. This assumes that the attackers no longer have access, however, which, who knows.
My suggestion is that your friend backs up any important files, rotates passwords for important accounts like email, runescape, etc, factory resets his phone and his laptop, and is careful to only install apps and browser extensions that he can trust. Unfortunately it's just hard to say what happened here without a lot more information. It's perhaps worth Jagex opening an investigation as they should have far better logs about any accesses.
Personally I don't have a Jagex account because I'm a linux user and it looks like a pain in the ass to do it. But Jagex accounts also appear to be safer, from what I've seen - the main thing is that you can "Login with Google", which basically means that Jagex doesn't even *have* a password or authentication materials beyond the Authenticator app, they literally just defer to Google to say whether you are actually you. Google is very good at this. Using this approach means you're less likely to get phished and your security relies less on Jagex. In theory if the attacker doesn't have full access to their network but perhaps, just as an example, they have coerced an engineer into giving them a couple of passwords or whatever, a Jagex account would protect you. Keep in mind that I'm playing kind of fast and loose here, I know very little about Jagex infrastructure or Jagex Accounts other than that I tried to make one for a couple extra bank slots and then realized it would fuck me as a Linux user.
Source: Computer security professional. If you have any clarifying questions feel free to reply.

I'm not sure a data leak from Jagex is enough. They would need some serious vulnerabilities (such as session hijacking as others have mentioned) to bypass the 2fa. Our passwords are (typically) hashed, so even if there was a data leak with users accounts information, they would either have to take the dictionary offline and brute force it, or use legit account recovery processes, but seeing as how no one is getting those emails, it's most likely not that. That being said, based on what Jagex is advertising with the new Jagex accounts, it does sound like they have employed slow-hashing, which is great mitigation against brute force attacks. It slows down the amount of accounts hackers can get considerably and that alone is a good enough reason to switch.

A lot of people claim being hacked after RWTing then they claim oh I was hacked and get the account back

16 years of playing and ive never been hacked

probably insider threats, someone from jagex is feeding accs. We've already had a trident and that other dude from ROT, so this wouldn't be far off. Theres also social engineering attacks, hackers eventually access the perimeter and then act as a silent reader or even leave backdoors in there. This game is old as hell, I wouldn't be surprised if people would do this kinda stuff

theres a setting where bank pin is only needed after 15 mins after log out, if you log out and hacker logs in instantly, no bank pin needed if certain settings are used. basically you can log out, then back in within the time and bank just opens without pin.

The session token thing is just what your client uses to track that you are logged in, basically everything uses them because if they didn't you could never stay logged in to anything. While it's unlikely, the way this would work with OSRS is that someone would get access to the session token your buddy was using when he was logged in, and then re-use the same token to make the game think it's the same session as the previous one. This doesn't need the original PC to be on at the time of the account take over, just on when the person was stealing the token.
Seems unlikely someone would do that for some randoms OSRS account, it's not likely something your random script kid would be capable of, so if this *is* how he was hacked, it was targeted as opposed to random, whether it's about who your friend is IRL, or maybe extreme wealth on the account. Overall, don't think this is what happened, just that it's possible.

Just imagine Jagex leaking info to push people to a Jagex account. To say "see no hacking here". Let the conspiracy begin.

Meanwhile here I am still logging in with my rsn and a password I haven't changed in ages.

It's way more likely your friend has just been an idiot rather than Jagex leaking data including bank pins, every single time it's user error with their own poor security practices

This happened to a friend of mine recently. I saw her log in for the first time in 6 months, and only for a minute. I messaged her on discord and she said that wasn't her. She logged in to find her bank pin was trying to be reset. They somehow got in passed her two factor. She works in cyber security and is always extremely careful with her credentials for anything.

I've been targeted for 3days by a hacker, passwords kept on changing, found he putted the malicious stuff on my microsoft cloud so my system would always get persisted. No logs found of last logins, jagex denied my request for help about this, twice. Rip SoStronk

After all that discussion, did anyone mention the possibility of a close friend committing the hack? Maybe I missed it if anyone suggested it. I know people want to trust their friends, but there are some dodgy people out there. I have on a few occasions trusted a friend on my account. I am a very secure person as well. If me, being the person I am, trusted a friend to be on my account once or twice, is it possible at all that this guy did the same thing and perhaps trusted the wrong person? Idk the details of how a friend would do it, but just an idea.

Had my account banned and appeal denied after I got banned, had thousands of hours and now I have no idea what to do

I have a Jagex account and double authenticator, and I still get e-mails from Jagex of pasword reset attempts.

Serious question that I'd love an anwser to ... if you get banned on a character linked to ur jagex acc do all the characters get banned ?🎉

does anyone think that its harder to get your account hacked if your login email was mistyped at the account creation and was changed to be correct after the fact.

I think you’re right on the data leak. My brothers account got hacked out of nowhere. He has zero friends on the game as he barely plays and when he does it’s with me. None of our friends play. Legit his account is a ghost. Out of nowhere his pass/email was changed without notice and everything taken. I doubt Jagex will do anything because he’s not someone famous in the game but well over 400M was taken and there was zero notification of it.

I just wanna say it’s a fucking tragedy that it took this mole slipper fiasco for the wider OSRS community to stop being afraid to even mention your name. Happy to see people finally opening up a bit to your hilarious content, which is probably some of the only truly unique content in the OSRS space these days

Main way of hacks is data leaks from random websites. People get your email/password for that website, then try that combo for other shit. Dont use the same password across different things

Ahkka plug in is a new one theyre doing at ToA, get the word out

As someone who doesn't have a jagex account I'm going to get one. Thanks!

just doesnt let me make one
every time I enter all my details say "YOU HAVE BEEN BLOCKED" on the launcher and doesnt let me upgrade to a jagex account

your massivly mistaken if you think its hard too compromise a machine (Key logger) its easier than its ever been, You just need too click a web link now, and it will latch on too the next legitimate installer you launch.

Having a Jagex account was the only thing that stopped my account from being gone forever from the 3rd party linking scam. I was at least able to keep it and try to rebuild. They still are saying they will reach out about it eventually.

ya boy just clicked on some shit he shouldnt have

I study cyber security and it could be this: If the 2FA automatically authenticates him than an attacker can change the proxy settings in the user’s browser to send all sessions through an attacker’s machine. This is a type of session hijacking attack. You can also get rootkits that are really stealthy so your friend would need an expert to take a look at his machine. You can 100% get infected from visiting a website, also if an attacker has the IP address and the machine is vulnerable then they can get in that way also.

thanks for the upload! been looking forward to this one

I figured they would just use a cached file stored in your RS folder. replace the players file with yours... spoof the IP. Now Runelite now thinks it's someone else and it doesn't require a re auth.
didn't this happen to twitter like 2 years ago.

A huge content creator in the Diablo world Darth Microtransaction just got his 21 year old Osrs account hacked and cleaned of all the items that he bought with bonds, had about 5B and he has no clue how it happened. Wonder if that's a similar situation.

Watching the King blow glass while I blow glass. This some good shit.

I know you like to shit on people for being skeptical, but honestly, I don't trust Jagex accounts at all. I'm very well trained with a background in IT, and I know enough to say that the more convoluted the system is, the more room there is for error/attacks. I like the way my account is set up, I have a strong password, 2fa, bank pin, not linked to RuneLite or Jagex launcher or Steam, I play pretty much mobile only, regular password changes, and I find it hard to believe my account is not secure. Probably more secure than my IRL bank account lol. Changing the way its setup is only gunna open the door for more attacks, providing another new avenue for hackers to access my account. If there's an internal problem with a Jagex employee, who already has access to on-prem servers and account related databases, a Jagex account isn't gunna do squat. Just my 2 cents, but I do appreciate the video highlighting account security in general. Many people, like myself, have put their soul into this stupid game for most of their life, and it would be devistating to lose everything over something so preventable.

This exact thing happened to my main account as well, bank pin was set up, 2fa on my account as well as my email and yet they managed to "import my character" and wipe everything off my account in the matter of minutes. I've been safe since merging to the Jagex launcher...so far. Hopefully this issue will never happen again because this was not the first time my account has been cleaned with years of progress lost.

I had this happen to me, no breach on my emails, had 2 factor authenticator, didn't have jagex accounts back then.
Didn't get phished, didn't click on sketchy sites.
Was the only time i had money in my inv that I logged out because I had been at house parties.

As someone who used to hack accounts, everything you have said leads me to believe he traded off the items himself to an alt and claimed he was hacked. At this point only Jager can see the it's logged on the account and if it was a different person they could absolutely track the items

It happened to me. No email compromised. Someone logged in, as verified by Jagex via support, from Venezuela. No answer and no help other than "please do better at securing your account."
Laughable

so a couple things here, one authenticater for jagex is impossible to remove which is why i hope they dont change this because i lost mine but u have a list of back up codes that can be used to bypass the 2fa and use the code to log in instead with one time use each code.i bet thats what happened here the codes are leaked

The fact that normal log-in doesn't have case sensitive passwords is insane. For the longest time I thought it did and was using caps

it can be a Remote access trojan, or something hidden in the boot sector of the account. Scans wont normally pick up on that.
Security + Certification over here

The thing is if his pc was key logged why would they only go for a osrs account so I don’t think that is the case honestly, either new exploit or data breach that hasn’t been public

Thanks for the info I pulled the trigger and got jagex launcher on my account

If you use your old passwords, and the logger is still trying to access auto in then you could get it accessed. I had that happen so I make sure to never use that password again

btw turning off your PC isn't actually turning it off. Unless you turn off hibernate mode, its typically on by default in Windows 10/11. Meaning when your PC is "powered off" it can still be remotely access and turned on via LAN.
A proper RAT or keylogger built with the intent of actually working by a black hat will not be detected by any Anti-Virus. Simple reverse engineering and you know exactly what to do to not be detected essentially.
Also Jagex could easily take an authentication key for google 2FA from your Jagex account and sell or use that information to get through 2FA. Pretty much any company with 2FA stores a authentication key within your account that talks to google servers. This would mean a data breach also gives them potential access to your google 2FA.

This is why I have an email for my main and a pc for RuneScape that nothing else is on.

I recently came back to the game and the PIN on both my main and ironman was gone. 2fa was still enabled. Luckily nothing was gone, even the equipment in my inventory was still in place. I'm really confused about what happened tbh. This is a bit less than a month ago I came back.

They probably used a VPN or somehow mimicked his PC as you don't get asked for 2FA if you're accessing your account from a previously used PC within 30 days or whatever the threshold is.

Key loggers can be installed remotely, and it can be phished through the site. But this is strange

I wonder if it could be someone on client side as well. Ive been noticing people saying they have been hacked more since HDOS was released to the jagex launcher

Just got hacked this week abd banned for macroing. and my appeal just got denied today.. safe to say im not coming back after thousands of hours wasted

My issue with the Jagex account is that if by some change you do get hacked, i assumed they have access to all of your accounts? If I'm wrong please correct me. this is the reason I've been putting if off.

1 click login alone is enough to make me a jagex account believer. cant believe i played so long without one

My (Jagex) account was just cleaned and bank pin changed. Idk how to be sure they couldn't log on again even if i get to reset the pin.
2-steps on everything, Authenticator wasn't disabled.

I would do the pin on login every time even with the same IP just to be safe honestly. They brute force pins too so even with one its not 100% safe.
And idk if they were ratted but the only way to defend against it is unplug your internet and find the rat.

This literally just happened to me! Today, I just lost 1.4 bil. Has this been solved @king? This is nuts... I am pretty busted up about this. Sucks, I had the authenticator up and I have a Jagex account and everything do you have any leads on this?! Do you know if Jagex will refund or is it gone?

yh deffo get a jagex account but you do need a jagex launcher to play then but its worth it u can just launch runelite with the jagex launcher anyway

swapped with oakdice and unfortunately my long time password was leaked out there, logged out for 10mins cameback hacked, had an authenticator, had an easy bank pin unfortunately, email was fine.

Got hacked like this 3 years ago
was before jed got fired from jagex so I am kinda guessing it was him who dissabled my authenticator, pin etc, same situation though, pin, authenticator, on both email and account, and yeah, only started again a few weeks ago
lost a few mil on my ironman so yeah, you can guess while I didn't feel like using that acc again

So it's rumored that if will say player (a) buys gold let's say 500. ... whether player (a) dies in a pvp death , bought something from a player, gives a split for an item etc... then eventually jagex can and has removed the 500m from player (b) account. It's been happening with dms , someone buys gold and the winner (innocent person) has received a temp ban and the gold he won from the fight removed. So it could be jagex just removing dirty gold. Question for you though, same thing just happened to a clan mate.. they left all his untradables, all his parchment still on items and left 500m gold ...... hard to say he was hacked when a hack would result in a cleaned account , so your friend condor was his account cleaned or did they leave a fair amount of wealth still on the account ?

Sounds like a token grab from Jagex Accounts & maybe the tokens show bank pin data. either that or they saw when he logged off, they logged in within the time frame of bank pins resetting from world hops.

I logged into my main after like 2 years my auth and bank pin were still on and somebody had botted like 2300 cg luckily i didn't get banned and they only got 1 enhanced weapon seed lmao. Made a jagex account and had no problems since.

on september 5th this also happend to me... granted i am rank 1 gim for chambers and for nex... my computer was also off and the only reason i knew was i logged into my main to do some 3rd age longsword flipping when i first woke up in the morning and saw someone was on my gim acc through the friends list. I did not have a jagex acc at the time and my laptop i play from was turned off all night long and on my bed next to me like the sweaty gamer i am. my password was not changed my authenticator was still on. the only difference between when i got hacked and when your friend got hacked is they did not have access to my bank account. maybe because they didnt hack me right after i logged off and shut my computer down? my email and acc were never shared with anyone and were never typed anywhere on a computer other than the jagex launcher and to make the account. the email and password were completely different from any i had ever used before and specific to this acc.

how about this.... the guy sold his account to a botter for $$$ gets a ban for botting and tries recovering his own account he sold off .. botters normally buy accounts rather than train it themselves

Doesn't matter if you use Jagex account or not, they hack into everything. I recently had mine hacked and lost everything 14b at time of hack. Had bank pin and everything setup. Jagex doesn't care as it keeps people grinding.

my rs3 account and osrs account are both the same login before emails were possible and been safe for 15 years i dont see a reason to change it now ? and i dont think i should be forced to either

The shilling for the jagex account is insane, is there any concrete proof they are safer?

A lot of people in the chat pretending to know how browsers and the internet works. Simply going to a website cant give you a virus, it can prompt or start a download for one depending on your settings, but the user still has to run it. Even if he did put his details in a phish or downloaded and ran a keylogger you are all ignoring how 2fa was bypassed. regardless of how the account details were obtained there is a definite vulnerability with all the people i hear about getting hacked with 2fa, and jagex needs to investigate.

This also why you don’t play osrs on steam. Also the reason any time I log out I have to re enter my bank pin

Odds are your friend used services or got RATted

Jagex has a corrupt problem over the years another mod Jed situation perhaps

At this point players who aren't using Jagex Accounts are just using their accounts to Bot..

Someone I know just got hacked too

Should people Change PW and pin every so often to confuse the crooks?

bruh people have put big bounties on hacking their rs accounts and even provide a bit of info to help with the process, but the hackers never succeed. People who say they didnt have a reason to get hacked are either lying or ignorant

If someone got control of his pc with a remote program they mightve been able to bypass everything.

you just have to steal the Gagex code to log acc with the gagex luncher...

Popular D4 content creator / streamer Darth Microtransaction was also hacked very recently for bills he just made a vid about it today

Good shout. Even if it's some dud being careless and clicking a link that ran an exe, or some internal affair, still worth upgrading security.

So question about requiring to sign into a jagex account every time. I use the actual jagex launcher so maybe this is different. But when I log off the game and close the launcher I can just launch it again and im already signed in. Do i need to actually log off the launcher as well to sign in every time (dumb question but lots of places also just allow you to log manually every week or so or actually manually sign out when you close the sight) because Id like to at least need to re sign in every week or so but was unsure if that's an option.

Blows my mind that in 2023 people still aren't using 2fa...It's been around for decades now cmon people. Secure your shit.

I get confused with all this stuff, can I still use Runelite with a Jagex account or would I have to use OG client?

Friend just had this happen on his RS3 account.

Sounds like he isn't being fully honest with what he is clicking online

peer 2 peer network once connected to discord voice chat makes it very easy to get keylogged

Streaming you play. Screen recording prior to hack

wtf is that emoji alias on the screen for "no"? imma keep asking this until i get an answer XD

Lost 7b two weeks ago. They transferred my RS account to a launcher acc lol. Unique email only for OSRS, always careful with links and whatnot. At least I've been going outside, got a promotion, and a new gf. . . I miss OSRS though :(

I GOT HACKED 2 DAYS AGO AND AM CURRENTLY TRYING TO APPEAL AND MOD DENVERS TRYING TO HELP BUT I KNOW THE HACKERS GOING THROUGH THE SAME THING I AM CUZ THE ACC GOT LOCKED AFTER HE SENT 5 PASSWORD RESETS AND IM GUESSING THE SYSTEM SENT HIS NEW EMAIL THE PASSWORD RESET AND VOILA HES GOT MY ACC AND I HAD 2FA, AND A GOOGLE AUTH, IM PISSED

my main account was hacked last week, lost 2.5bill+ my email was changed and account was linked to a jagex account. i was able to recover the account but 2 days after it was recovered, the account is now perma banned for macroing... GG hackers, gg jagex.

Could it be runelite/compromised plug-in?

Jagex is the one hacking accounts to get people to switch over to a Jagex account

1st it was mole slippers now those frog slippers are climbing lol best In slots though

If it is a Jagex leak how will having a Jagex account help lol?