16 replies to this topic

[ixfd64]

My RuneScape account got hacked a few days ago.

I was trying to enter the April quiz contest last night when I noticed that I was unable to log in. Since I was able to access all of my other accounts, I figured that I had been "hacked." When I recovered my account about half an hour later, I noticed that my bank PIN was just seven hours away from getting deleted. In addition, my friends list had been cleared, and my default CC was set to a channel called "Team Hax."

The good news is, I didn't lose any valuables. Phew! *kisses bank PIN* On the other hand, it's going to be a pain in the @$# to add all of my friends back.

I did search for my name on some well-known cheat sites but could find no mention of anyone bragging about "hacking" me, so I'm not sure why I was picked as a target. When I first got "hacked" in April 2003, I was fairly well known at that time because I was only the 40th person to get level 99 cooking. But since level 99 skills are very common these days, I don't think it was my stats that made me a target. However, I do have the distinction of being one of the first 2000 players to sign up, as well as a former player moderator. From what I've seen, these are considered valuable targets for account thieves.

My password was alphanumeric and had 11 characters, so I think it would have been very hard to guess. But then again, RuneScape passwords aren't that secure because they aren't case-sensitive and no longer support punctuation. HijackThis found no suspicious programs, and my recent virus scans had come up clean, so it couldn't have been a keylogger.

So I guess the "hacker" had guessed my password recovery answers. Admittedly, one of them could be found on my Wikipedia page, and two others weren't that hard to guess. I mean, just because I never explicitly told people what my favorite vacation spot was doesn't mean people couldn't deduce it from reading my blog, etc. Gotta love social engineering.

Incidentally, my AIM account also got hacked about two weeks ago, although I'm not sure if it had anything to do with this.

Lessons learned:

1. Don't set security questions whose answers can be easily deduced, even if they are not mentioned explicitly.
2. Similarly, when posting blog entries, etc., make sure that you don't accidentally answer a security question.

That having been said, was there anything else I could have done to prevent this?

I also have two other questions:

1. If I recover my account using the "stolen" option (as opposed to forgetting my password), will this automatically flag my account for investigation?
2. I know that Jagex does not give back stolen items. However, will they restore my friends list? I don't think I can recall all 100 names off the top of my head.

[Jaffy1]

ixfd64, on 06 April 2011 - 06:31 PM, said:

I also have two other questions:

1. If I recover my account using the "stolen" option (as opposed to forgetting my password), will this automatically flag my account for investigation?
2. I know that Jagex does not give back stolen items. However, will they restore my friends list? I don't think I can recall all 100 names off the top of my head.

From what you've said I don't see what you've done wrong (if anything at all), but to help avoid being hacked, ensuring your login username is unknown may be useful. This can be done by changing your name twice, or once and wait for the "last known as" to disappear (new accounts have mail addresses as a login).  Ooh, and since you were close to your pin cancellation time, get a 7 day delay instead of 3 (if you don't already have that).

Obviously recovery questions should be memorable, but no-one should be able to guess them. If you want a tip, asking about very personal things may be a solution i.e. things you have told no-one (possibly a question about a past password or childhood memories?).

To answer the other two questions, I believe that checking the "stolen" option gives your query priority with regard to being reviewed. It's possible Jagex looks at other things too, but I don't know if or what exactly they would do.

It's also doubtful they'll restore your friends list, unfortunately, but I imagine the people you can't remember will pm you if you keep it at "on" mode?

[Nomrombom]

No, Jagex can't restore your friends list. You'll either have to remember or just forget about it.

You didn't learn these lessons from Sarah Palin's little deal? Where some kid hacked her government email by guessing her recoveries?

Just a good thing you had a PIN. Better safe than sorry.

[reddawn509]

You have a wikipedia page?  

If you've got information about yourself online, it might not be a bad idea to set random passwords or letters or something as the answers to your recovery questions, instead of actual information. Write them down or save them onto your computer, then you can have them but they'll be difficult to guess.

[D. V. Devnull]

Pardon this blunt expression, but............... DDDDAAAAMMMMMNNNNNNIIIIITTTTT!!!

Well, this explains why I was showing as not on your friends list when I last checked your chat channel like yesterday or the day before, and definitely prior to some jerk changing your channel's name.  Good thing I came back to Tip.It Forums, or I would never have seen something like this to alert me to what happened.  Sorry to hear this happened to you, though.

However, I'm glad to hear you got your account back from the jerk(s) that stole it from you.  If you want to get in touch, I've been bouncing between RuneScape and FunOrb's "Steel Sentinels" off and on.  So feel free to add me back on and send a private chat message.  I'll look forward to hearing from you, that's for sure.

~Mr. D. V. "Unholy Ouch!  Glad to hear you got control back!" Devnull


(p.s.: One of my F2P stats fell below 2,000,000th place, so my combat's reading low.  That should be showing as Cb Lvl 85 in my siggy...)

(p.p.s.: I don't believe this... I don't have you added to my buddy list on TIF as well?  Adding now!)

[Jaffy1]

reddawn509, on 06 April 2011 - 06:55 PM, said:

Write them down or save them onto your computer, then you can have them but they'll be difficult to guess.

It's a bad idea to save any kind of password/sensitive information on your computer.
Write them down if you must, but it's best if you can just remember them.

[Hegelstad]

I recently changed all my recovery questions because some idiot from Germany added me on facebook and tried to social engineer me ;o

He asked a lot of questions about recovery questions in a way that you wouldn't think that you answered recovery questions, they are really clever. So be alert!

[Jaffy1]

NikolaiH, on 06 April 2011 - 07:08 PM, said:

I recently changed all my recovery questions because some idiot from Germany added me on facebook and tried to social engineer me ;o

Don't let random people add you on facebook. xD
Seriously though, some of those "kids" care too much... Why put in so much effort to "hack" someone?

Anyhow, if you can, try making it so only you know/can guess the answers to your recovery questions.
That excludes family and real life friends too.

[Hegelstad]

Jaffy1, on 06 April 2011 - 07:10 PM, said:

NikolaiH, on 06 April 2011 - 07:08 PM, said:

I recently changed all my recovery questions because some idiot from Germany added me on facebook and tried to social engineer me ;o

Don't let random people add you on facebook. xD
Seriously though, some of those "kids" care too much... Why put in so much effort to "hack" someone?

Anyhow, if you can, try making it so only you know/can guess the answers to your recovery questions.
That excludes family and real life friends too.

He acted like he knew me, faked ID, so be careful out there!

[pulli23]

jagex should allow for "unresettable" (apart from manual jagex intervention) bank pins. - If you go on holiday/taking a break of rs your bank pin is now worth nothing!

[ixfd64]

Thanks for the suggestions, Jaffy1.

However, the downside of changing display names is that it may confuse friends, especially those who haven't played in a long time. For example, I've often had to ask friends who have changed their display names to identify themselves after coming back from long breaks.

I know that some IM users will block/delete unfamiliar people on their buddy list, so I'd imagine that the same goes for RuneScape. Personally, I do not do this, but I obviously can't say the same for my friends.

reddawn509, on 06 April 2011 - 06:55 PM, said:

You have a wikipedia page?  

User page, not article. I'm not that famous!

[Jaffy1]

ixfd64, on 06 April 2011 - 07:24 PM, said:

Thanks for the suggestions, Jaffy1.

However, the downside of changing display names is that it may confuse friends, especially those who haven't played in a long time. For example, I've often had to ask friends who have changed their display names to identify themselves after coming back from long breaks.

I know that some IM users will block/delete unfamiliar people on their buddy list. I'd imagine that the same goes for RuneScape. Personally, I do not do this, but I obviously can't say the same for my friends.

You're welcome.
In the case of friends confusion, changing it once will do the trick.
If they recall your old username they can still enter your clan chat (it will take them to yours even after you've lost the "last known as" icon).

Hope that helps.

[Rocked]

Do you tell people on the street that you're a Wikipedia admin? I wish I could tell people that at parties.

[Wkw]

My recovery questions are something along the lines of
"what is on the empty action figured box in the computer room"
"how many usb ports does my old computer have"
"which number seat do i sit in class spell"
and "how many windows to the right"

Really
Lesse. I've never, ever taken a picture of that part of the room
Nor of my old computer.. but I think I've said it. But it isn't one of my questions
Only the people at my school know this. I added spell because "3" isn't a valid answer
Last one, you need to see my house to know that ^^



Don't make them "generic" questions. What is my mothers madein name is too generic. Same pet, first teacher, favorite food. All generic.

[Michael]

wkw427, on 06 April 2011 - 09:11 PM, said:

My recovery questions are something along the lines of
"what is on the empty action figured box in the computer room"
"how many usb ports does my old computer have"
"which number seat do i sit in class spell"
and "how many windows to the right"

Really
Lesse. I've never, ever taken a picture of that part of the room
Nor of my old computer.. but I think I've said it. But it isn't one of my questions
Only the people at my school know this. I added spell because "3" isn't a valid answer
Last one, you need to see my house to know that ^^



Don't make them "generic" questions. What is my mothers madein name is too generic. Same pet, first teacher, favorite food. All generic.

That's simple, you just don't actually answer the question but answer another question.

[Rock Hard]

Rocked, on 06 April 2011 - 08:02 PM, said:

Do you tell people on the street that you're a Wikipedia admin? I wish I could tell people that at parties.

dw, tell them about your 3000 tipit posts and 91 rc instead

[Avatar200]

My old cooking buddy in Draynor!! Hope you've done everything to prevent future attempts..