Time to post something useful! TL;DR: Accounts are never 100% safe, working customer service sucks, and I like 3.14. Ok, so working as a customer service agent and supervisor for a major cellular telecommunications company in the technical support department and general customer service as well as having experience as a white-hat contracter, I learned a lot about ticket systems, customer personal information handling, and attitudes of both representatives and supervisors towards that data. This is something I have personally dealt with. [spoiler=Story Time!] One relevant example I can provide to this subject is the heavily modified (but real at the core) story of Mary Sue and her phone account recovery. Most details (names, locations, jobs, etc) have been changed to protect the customer this happened to as well as me for posting it (without breaking NDA). Mary Sue was a successful business woman from New York City. She was an accountant in one part of a fortune 500 company. She had a husband and 3 kids. She was very good at managing her cell phone account on a regular basis. One day, Mary Sue received a temporary job assignment to Japan to start a foreign sector of the company. She would be over there for 6 months. She accepted the job and was eventually promoted to lead financial accountant for the corporation after an outstanding performance. When she returned, she found out her husband cheated on her, another woman named ShaNayNay was living with her husband in the house, and her husband sent the kids to private school for 6 more months in Sweden. After a very unhappy 2 months of going through divorce processes and getting her kids back, Mary Sue remembered about her cell phones so she decided to attempt to access her account only to find out it was under someone else's name. Mary Sue was feeling very unhappy. When recovering the account Mary Sue provided the wonderful supervisor she spent an hour reaching, the aforementioned story, with her name, address, and secret question answer (which was the name of the dog). The kind supervisor followed procedure and restored the account under her name and disabled the active phones which would take effect on midnight EST the next day. The supervisor also provided the customer with a free phone voucher since she had been with us for 10 years. One day later, the supervisor received an internal notice that a customer named Mary Sue had called in saying someone disabled her phones (when phones are disabled, the person can still reach customer service) and his name tag was on the log for who disabled the phones. It turned out that the person whom called in was in-fact Bob, someone who had doxed Mary Sue and obtained her dogs name from her facebook profile and knowing Mary Sue loved dogs, Bob figured that was her password. Bob also had a slightly feminine voice so with proper voice control, he pulled off a perfect female voice. Mary Sue was in fact away, but in the hospital for Chemotherapy for her Lung Cancer in Los Angles for 6 months, which was also on her facebook. How the above story relates to Runescape is basically, as long as someone knows enough information about you or has infected you with malicious software, it is only a matter of time until they can access your Runescape account. Customer service agents and supervisors have protocols they have to follow in certain situations. In the story above, the supervisor was not at fault for giving access to the hijacker as the hijacker provided enough information to pass by as the actual owner. There is practically no way the supervisor could have known that the caller was the hijacker. Now another note; Since the person in the story was away and did not log into the account for 6 months, it made the story provided by the hijacker even more realistic. Most people check access logs for stories like this. How this relates to Runescape is most players start playing before college and take a break during school for 3, 6, and even 12 months or more at a time. Also, people tend to move around, lose interest in playing, and take breaks. The longer you do not access your account, the easier it is for someone to hijack it. I am not saying that if you don't login for 6 months, someone will take your account. I am just saying that it will become easier to hack, even with JAG or any security measures in place. With a game like Runescape, with JAG enabled, I can guarantee that if someone has your email, IP, and time, they can recover your account. The reason I added the criteria of time into play here is because it takes time to research the victim and obtain enough details about them. It takes time to develop a highly plausible story to send Jagex. It takes time to perform multiple attempts. This has happened to me. During the fan sitehack wave about a year ago, the email I used with RuneScape was the same email I registered with a specific fan site, was obtained from the database. The passwords were totally different. All of my in-game passwords are a randomly generated string. After my email was obtained, it was only a matter of time until the hacker obtained the rest of the information from either database entries or logs from the fan site. I blame Jagex for lack of common sense and detective skills. The IP address which last logged into my account was 10,000 miles from where I lived and was on a list of spamming and hacking IPs relating to both Minecraft, Runescape, and other games. I blamed them for making it too easy to recover accounts. I had an alternate account I never logged into since 2006. I legitimately forgot the password. Using a proxy, I submitted my real IP and information which was listed on an archived forum site from then provided a heartwarming story of why I haven't played in 6 years. Only 6 hours after the recovery request was submitted, I received an email saying it was successful. I know people make mistakes and stuff like this happens with Runescape or with other companies all the time. I have been on the other side and personally made that mistake of allowing a stranger access to someone else's account.