Jump to content

You are not Invincible

RuneHQ Robot

Recommended Posts



This is a security post for everyone.

I was prompted to make this after having a nice conversation about Jagex's Authenticator. The Authenticator itself is a lovely protection system for your account, and you'd be a fool not to have activated it (unless there's some legitimate reason as to why you can't, but laziness isn't acceptable.)

Even with the Authenticator enabled, you can STILL get hijacked.

When it comes to passwords...

  • Authenticator is NOT prompted when a user wishes to change an account password.
  • Your registered e-mail is sent a confirmation link to confirm a password change.
  • A hijacker can still change your password without needing to know your Authenticator information.


When it comes to the main site...

  • the Authenticator is NOT prompted upon logging into the main site.
  • A hijacker can still use your account to create havoc on the forums
  • A hijacker can steal / change your display name
  • A hijacker can CHANGE your registered e-mail


When it comes to in-game

  • You still need a bank pin, the Authenticator can still get compromised if you enter your details onto an infected machine.
  • the Authenticator DOES protect 2007 scape accounts!
  • the Authenticator does NOT protect classic accounts!


Has anyone noticed a strange connection between some of this things that I've pointed out above? That's right, it's your registered e-mail. If a hijacker can control your registered e-mail then your account is as good as gone (or at least for a while.) Did you also notice that the Authenticator doesn't stop a hijacker from changing that registered e-mail?

Your Runescape account security relies heavily on your registered e-mail, even the Authenticator relies on it.

Here's where we shamelessly tell EVERYONE to change to Google Mail, and use the 2-step verification system. Why? It's as good as a USB authenticator (but for your e-mail) so that if the hijacker does get your e-mail information then they still can't access it without your mobile device.

High level players, and famous players (who I can't name) have been hacked recently, and some of the core issues is that they used hotmail as their registered e-mail address. Please, please, please DO NOT EVER use hotmail as your registered e-mail address because if someone tries hard enough, they can and will recover it.

... and here's a clear reminder of security tips;

  • NEVER use your Runescape or e-mail password on fansites
  • NEVER use your registered e-mail with fansites. It is very important to use different emails, for different websites.
  • If someone, for whatever reason has a grudge against you, is jealous etc, and they have access to your private information, they can use it against you.
  • Even the people you suppose to trust and be good honest people, can and possibly will do, if the opportunity arrives, put your email/accounts at risk.
  • Please be aware about the sites you go into.
  • Please be aware about the information you're leaving on any website.
  • It's not just outsiders that will compromise your email/accounts. People you know are as dangerous!
  • Lots of people, using the appropriate software (keylogger, trojan, etc.), can have access to your private information, such as emails in every website you enter.

Because the harsh truth is that fansite hijackings are getting more common now, and the last thing we want is to have our community members being hijacked in the unlikely event that our databases are compromised.

If I've just highlighted how vulnerable you are, then you're welcome! :classic_tongue:

Link to comment
Share on other sites

  • 4 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...