Anyone hacked lately?

[Bruhx]

I won't ever believe that someone got hacked where it wasn't there fault. Maybe it really wasn't, but it's just very hard for me to believe. I've been hacked once and it was honestly completely my fault. I feel like the reason why people are getting hacked a ton more is because hackers have been trying to figure out ways to trick other people into getting there information since they came out with no more limit on trading, and at about this time, a lot of people are falling for stupid tricks and not even realizing they're going to get hacked. (I'm not saying that's what happened to you, lol.)

 

Then again, that's a complete guess because everyone who gets hacked always say they never went to any sites, NO ONE knows there password or bank pin, and all this stuff. Honestly, I kind of don't believe that.

 

Oh & also another way to get hacked is if you login to someone else's account, because then that gives them your IP address, and that's a very important piece to the recovery. It's pretty hard to argue if you know what IP address the account is usually logging into.

[Piu]

Besides: the whole password system is encrypted: even admins can't see your password. What is it with all those stupidity here of people who don't know what they are talking about making false claims?

 

Passwords are easily decrypted unless the hash is encrypted based on your hardware or something. And if you search around, you'd see some people actually have their hands on several databases.

 

I was just pointing out that with the information they have PLUS the information the OP had revealed himself is what helped the hackers for the whole recovery process.

[ForsakenMage]

If you guys do happen to see your personal details posted on pastebin, report it to have it removed, then use Google's webmaster tools to request for removal from Google cache.

[lordkafei]

Hacked, no... but I get a lot more phishing emails than I used to.

 

Today's email originated from Seoul, ROK: 110.45.140.114

 

The domain that the phishers are directing people to is registered in Beijing, PRC http://whois.domaint...com/axlogin.com

 

I'd forward this to Jagex in its entirety if I had an address.

Their phishing reporting topic on RSOF only allows 2000 characters... not enough room to even paste in the complete headers. Nice move there.

 

Most companies just have an email address that you are supposed to forward phishing emails to...

[Logdotzip]

its too bad there's no option for older accounts to switch their login name to en email... if you made a brand new email for your login information, you would be unhackable, no? they wouldnt be able to login

[pulli23]

Besides: the whole password system is encrypted: even admins can't see your password. What is it with all those stupidity here of people who don't know what they are talking about making false claims?

 

Passwords are easily decrypted unless the hash is encrypted based on your hardware or something. And if you search around, you'd see some people actually have their hands on several databases.

 

I was just pointing out that with the information they have PLUS the information the OP had revealed himself is what helped the hackers for the whole recovery process.

Sigh: good luck with decrypting them. It will take you what, a thousand years to decrypt a mysql table?

 

Really don't just believe anything you read, be critical, LEARN before posting statements.

 

IPB uses a randomized salt, so it is impossible to decrypt. Unless you know the salt (impossible) - or use brute force methods.

[bedman]

A lot of it is from people recovering accounts. Various groups hack websites and get their databases (fansites and forums are big targets specifically older ones). Someone got a hold of an older version of tip.its database. Also they go around the runescape classic forum on here and pick out names (because most likely the don't still play). If you are on damage incorporated they got hacked i think the beginning out august and their database was up for sale not too long ago. Also even when the passwords are encrypted if you have an semi easy password there are ways of "decrypting it" or at least having a website go through combos of passwords such as md5 and you can just search it on there http://www.md5decrypter.co.uk/.

 

Some bad language but you can see he has tip.its database

 

[hide]

[/hide]

 

 

And anyone who spends 5 minutes on pastebin can find loads of userbase dumps for rs accounts. All of this info people post about themselves is just helpful for people trying to steal their account. The most valuable parts being the creation date(all the hacking sites have links to tip.its threads where you post when you started playing) and first password(which is usually easy to guess because most people who played back then had an easy password, or even search the 100 most used passwords).

 

Damn, I joined tip it around that time, and I'm not sure what password I had back then. I don't think I ever used that on runescape, but I'm not 100% sure. Anything I can do to secure my account even more?

 

I have random recoveries with the answer written down and hidden in my room, my tip it account is connected to an old hotmail account I never use anymore (and that I never connected my RS account to). My runescape character is connected to my main gmail account though, might change that

 

EDIT: just checked my spam(on my regular emailadress) and I have some emails about runescape: "greetings, it has come to our attention that you are selling your runescape account..." (I don't dare to open it). This worries me quite a bit, because I wouldn't think hackers (or the ones trying) know about that emailadress. I have some emails from jagex etc. so it means that if that gmail account gets hacked, I'm screwed. What do?

[Nukearcher]

theres flaw in jagex account recovery if your account havent logged in for while its easy to recover without any info pretty much

[@Dan3HitU]

theres flaw in jagex account recovery if your account havent logged in for while its easy to recover without any info pretty much

I think that's what has happened, someone has obviously recovered my account after loads of attempts and eventually got through.

 

I think it's clearly stupid that Jagex don't see that an account is inactive though and that if you're recovering an account from say another country, they do nothing to stop it.

[eee]

theres flaw in jagex account recovery if your account havent logged in for while its easy to recover without any info pretty much

I think that's what has happened, someone has obviously recovered my account after loads of attempts and eventually got through.

 

I think it's clearly stupid that Jagex don't see that an account is inactive though and that if you're recovering an account from say another country, they do nothing to stop it.

Inactivity and repeated attempts could also be a sign that the owner has actually forgotten their details though. Location really doesn't matter because account recoverers will research their target's location and make all attempts through proxies.

[SixFootOne]

 

Damn, I joined tip it around that time, and I'm not sure what password I had back then. I don't think I ever used that on runescape, but I'm not 100% sure. Anything I can do to secure my account even more?

 

I have random recoveries with the answer written down and hidden in my room, my tip it account is connected to an old hotmail account I never use anymore (and that I never connected my RS account to). My runescape character is connected to my main gmail account though, might change that

 

EDIT: just checked my spam(on my regular emailadress) and I have some emails about runescape: "greetings, it has come to our attention that you are selling your runescape account..." (I don't dare to open it). This worries me quite a bit, because I wouldn't think hackers (or the ones trying) know about that emailadress. I have some emails from jagex etc. so it means that if that gmail account gets hacked, I'm screwed. What do?

 

If you are at least semi active you are fine. That' is more of a concern for people who stop playing for long periods of time. Also with that info alone they usually won't get the account. If you don't go around responding to random emails you get from them (they can find your ip from that and then guess what isp company you used to create the account) you are also doing yourself a favor. I would make sure your email is secure though. Gmail is nice because you can have it linked to phone numbers and have them text you reset passwords in case it gets compromised. Sadly recovery questions don't seem to really lock down the security of your account but they can help. Just keep info like creation date, previous passwords, isp that you created the account/last used, have your email linked to your account, have recovery questions set, log in a 2 times a week and your will be pretty safe.

[Drazhor]

It seems quite a lot of tiffers have been hacked since Feb :o

[@Dan3HitU]

Just to be 100% clear (for anyone unsure), there is no chance I was keylogged.

 

I haven't been on the computer that I "only" use for RuneScape, I have a laptop I use for everything else which I've probably only used 5 times since March.

 

I've been on my Xbox 360 generally and haven't had time (or interest if I'm honest) for RuneScape which doesn't even use the same connection that I use for RuneScape. So the only option is that someone tried recovering my account over and over again.

[@Dan3HitU]

Got this picture sent to me through Twitter, guy said he found it on a forum.

 

 

By looks of it, it was a recovery attempt.

[_YB_]

Got this picture sent to me through Twitter, guy said he found it on a forum.

 

 

By looks of it, it was a recovery attempt.

I spoke to Sly, it wasn't him. Someone's put his name in the notes to get it blamed on him

it wasn't him, he doesn't recover anymore he even helped Binu22 to get hes account back.

 

 

[spoiler=asf]

 

[Saradomin_Mage]

What exactly is the "Try harder plox" thing supposed to be, actually?

[BioIce]

Mod Chrisso seems to be really new at Jagex. That thread mentions him having only been there for a year somewhere in one of his posts, he got bumped up from customer support to game testing.

[Piu]

'Try harder plox' was a message to a group of recoverers's hack threat I think.

 

Which resulted people like Binu and Gertjaars being hacked.

 

EDIT: Derp, didn't see YB's photo.

[rsboy]

I got nailed :( like 2 weeks ago.

[Riptide Mage]

Besides: the whole password system is encrypted: even admins can't see your password. What is it with all those stupidity here of people who don't know what they are talking about making false claims?

 

Passwords are easily decrypted unless the hash is encrypted based on your hardware or something. And if you search around, you'd see some people actually have their hands on several databases.

 

I was just pointing out that with the information they have PLUS the information the OP had revealed himself is what helped the hackers for the whole recovery process.

Sigh: good luck with decrypting them. It will take you what, a thousand years to decrypt a mysql table?

 

Really don't just believe anything you read, be critical, LEARN before posting statements.

 

IPB uses a randomized salt, so it is impossible to decrypt. Unless you know the salt (impossible) - or use brute force methods.

 

Salted hashes are far from impossible to break. If someone were to compromise the server they would be able to dump the sql tables as well as view the salt. Examples:

 

Only hashed - md5($Password) - Easily cracked, a publicly available 380 gb rainbow table will break any password that uses numbers, letters (capital and lower), and spaces; extremely vulnerable to sql injection

 

Hashed and salted using a global salt - md5($Password.$SiteSalt) - Just as easily cracked as a password that has only been hashed (if the hash is obtained from the webserver); however, this would require generating a custom rainbow table which takes a bit amount of time (giving the site time to inform users)

 

Hashed and salted using a user salt - md5($Password.$UserSalt) - Requires a new rainbow table for every user (See next paragraph); this is extremely vulnerable to sql injection if the default hashing algorithm has not been changed, IPB uses md5(md5($salt).md5($password)) by default, I hope tip.it changed it

 

Hashed and salted twice - md5($UserSalt.$Password.$SiteSalt) - Requires a new rainbow table for every user, which is very impractical unless targeting specific users, usually in this case the hacker will run a list of common passwords through the hashing algorithm for each user, hoping to crack a percentage (interesting note: I recently redid the security on a site I maintain that has 25,000 users; of those users 6% used one of the 5000 most common passwords [based on this] and 4% used their username as their password, extrapolating that to the worst case scenario where tip.it is breached, at least 20,000 accounts would be compromised with ease, and even more would be compromised after using a dictionary based attack [of users who used a dictionary word, 10% used the word followed by the number 1])

 

One of the best ways of ensuring user security after a hack is by using two salts, a site wide salt and a individual salt. Unless the sql server and the webserver were located in two different places and only the sql server was breached would an attacker ever need to decrypt the sql database. If the webserver is breached it WILL have the sql connection details in plain text in order for the site to function (or possibly encrypted using zend, but that that's still easy to bypass) and it WILL have a any site-wide salt in plain text.

[Toad]

I don't think it's necessarily the way the system works that needs to be fixed, I just think added security needs to be implemented.

[RoswellCrash]

I don't think it's necessarily the way the system works that needs to be fixed, I just think added security needs to be implemented.

 

The old memory card device or card system Entropia Universe use would be good, but cost. Maybe it could be free with a year/or two of membership subscription (a membership incentive they might want to try, or pay for it).

[ilovecuttingyews]

I don't think it's necessarily the way the system works that needs to be fixed, I just think added security needs to be implemented.

The old memory card device or card system Entropia Universe use would be good, but cost. Maybe it could be free with a year/or two of membership subscription (a membership incentive they might want to try, or pay for it).

Jagex initially dismissed the security dongle because people dismissed the extra bank space incentive as RWT'ing. Maybe with the massive increase in hackings, and Jagex's new leadership, and a newfound thrist for money will convince Jagex to start selling these. If it was anything under $20, I would probably buy one.

[RoswellCrash]

Yeah I use the card system supplied by EU works well.

[Sir_Squab]

Besides: the whole password system is encrypted: even admins can't see your password. What is it with all those stupidity here of people who don't know what they are talking about making false claims?

 

Passwords are easily decrypted unless the hash is encrypted based on your hardware or something. And if you search around, you'd see some people actually have their hands on several databases.

 

I was just pointing out that with the information they have PLUS the information the OP had revealed himself is what helped the hackers for the whole recovery process.

Sigh: good luck with decrypting them. It will take you what, a thousand years to decrypt a mysql table?

 

Really don't just believe anything you read, be critical, LEARN before posting statements.

 

IPB uses a randomized salt, so it is impossible to decrypt. Unless you know the salt (impossible) - or use brute force methods.

 

Salted hashes are far from impossible to break. If someone were to compromise the server they would be able to dump the sql tables as well as view the salt. Examples:

 

Only hashed - md5($Password) - Easily cracked, a publicly available 380 gb rainbow table will break any password that uses numbers, letters (capital and lower), and spaces; extremely vulnerable to sql injection

 

Hashed and salted using a global salt - md5($Password.$SiteSalt) - Just as easily cracked as a password that has only been hashed (if the hash is obtained from the webserver); however, this would require generating a custom rainbow table which takes a bit amount of time (giving the site time to inform users)

 

Hashed and salted using a user salt - md5($Password.$UserSalt) - Requires a new rainbow table for every user (See next paragraph); this is extremely vulnerable to sql injection if the default hashing algorithm has not been changed, IPB uses md5(md5($salt).md5($password)) by default, I hope tip.it changed it

 

Hashed and salted twice - md5($UserSalt.$Password.$SiteSalt) - Requires a new rainbow table for every user, which is very impractical unless targeting specific users, usually in this case the hacker will run a list of common passwords through the hashing algorithm for each user, hoping to crack a percentage (interesting note: I recently redid the security on a site I maintain that has 25,000 users; of those users 6% used one of the 5000 most common passwords [based on this] and 4% used their username as their password, extrapolating that to the worst case scenario where tip.it is breached, at least 20,000 accounts would be compromised with ease, and even more would be compromised after using a dictionary based attack [of users who used a dictionary word, 10% used the word followed by the number 1])

 

One of the best ways of ensuring user security after a hack is by using two salts, a site wide salt and a individual salt. Unless the sql server and the webserver were located in two different places and only the sql server was breached would an attacker ever need to decrypt the sql database. If the webserver is breached it WILL have the sql connection details in plain text in order for the site to function (or possibly encrypted using zend, but that that's still easy to bypass) and it WILL have a any site-wide salt in plain text.

 

I have no idea what in the hell any of this is >_<