How my RuneScape Account got Stolen—and how I got it Back

On Wednesday 30th March 2022, my RuneScape account was stolen. Getting it back has been… significantly more difficult than it should have been.

Stolen Account

When I woke up in the morning, there was an email waiting in my inbox. "We have received a request to reset the password for your account", it said. "To reset your password, please use the button below".

RuneScape phishing emails often get through my spam filter, but this one looked authentic. Just in case, I tried logging into the game; it said my credentials were wrong. I double-checked them and tried again—no luck. My account had indeed been stolen.

How did this Happen?

My first thought was that my email account must have been compromised—how else could somebody have used the RuneScape password reset form to steal my game account? But my email account has 2FA enabled, and the access logs show no activity from IP addresses I don't recognise.

My RuneScape account also had 2FA. Did the perpetrator have my TOTP key? Had they gotten around 2FA somehow? Could my computer be compromised? Maybe I had been keylogged? But if so, why go for my RuneScape account of all things? And besides, I'm not in the habit of installing untrusted software, and I run Linux—which I would not expect to be a typical target.

I eventually figured out that my account had been stolen through the RuneScape Account Recovery process—the exact same process that I had to use to get it back. In order to submit an Account Recovery request, you must first attempt a password reset, which gets sent to your email address; this explains the email I received earlier, and why there were no suspicious login attempts. It's not the account takeover method, it's just a byproduct of it. It's a good thing though, otherwise I might not have been aware my account had been stolen. Sadly, the 2FA on my account counted for nothing since it was automatically removed by the Account Recovery process.

The Account Recovery Process

When I began the process of recovering my RuneScape account, I assumed I would be able to talk to a real person and prove my identity using my government ID or something. The name and address on my ID match the payment details on my RuneScape account. Unfortunately, this wasn't possible.

RuneScape's Account Recovery process is really bad. There is no way to talk to a real person. You can't simply email Jagex support—even if you're a paying customer. Your only option is to fill out the Account Recovery form and hope that your answers are good enough for whoever happens to read it. If they aren't, you will receive a canned response that only provides a few clues for your next attempt.

The RuneScape Account Recovery Form
The RuneScape Account Recovery Form

Everything wrong with this form boils down to a single huge problem: RuneScape is really old. My account is nearly as old as the game itself!

I don't remember my old passwords—especially from 10+ years ago. Who does? Luckily I have a password manager these days, and it has a record of the most recent ones.

I don't remember the answers to my recovery questions. I probably set them when I was a child, and Jagex doesn't allow them to be changed. Best I could do here was guess.

I don't remember the month and year that my account was created. RuneScape didn't use an email address back then, so I have no email to commemorate that date. I ultimately had to guess by reading through the historic patch notes, and by luck I was just one month off.

I also don't know the ISP that I used when I created the account—I didn't create it at home because I didn't have the Internet back then.

If you specify Credit Card as your earliest membership payment type, you are asked to supply the last four digits of the credit card that was used. I was sure I no longer had a record of this.

The Other Comments field allows for just 300 characters to provide any additional information. It's barely enough.

Beurocracy

I filled out the form as best I can before heading to work, and submitted it. Several hours later, I received my response: denied. Jagex wanted more details about past payments. In my rush to get to work, I had simply guessed them, but I would evidently need to be more accurate.

For my second Account Recovery request, I spent the afternoon poring over my archives to find as much information as possible. I managed to find a very early RuneScape membership receipt and the last four digits of the credit card that was used. I was shocked I had these! I filled out my second Account Recovery request with as much detail as possible, submitted it, and went to bed confident that I had supplied enough information to prove my identity. Unfortunately, it still wasn't enough. Jagex rejected my request because they wanted more information about the circumstances in which the account was created.

For my third Account Recovery request, I racked my brains trying to think of any other details I could possibly add. I added them, submitted the request, and again it was denied—for the exact same reason. At this point it seemed like a lost cause—I had supplied everything that was asked of me and it still wasn't good enough. It seemed like my only recourse would be to keep resubmitting the form and hope to eventually find a reviewer who would accept it.

For my fourth Account Recovery request, I decided to try something different. The RuneScape Account Recovery form hadn't been working properly. It had JavaScript errors, so the Add Another Password button didn't work. Since I could only write one password in that section, I had been writing the others in the Other Comments section. This in turn limited the amount of receipt numbers I could write in that same field. I had submitted my previous requests using Firefox for mobile and desktop; this time I tried using Chrome. The JavaScript errors disappeared and the form worked properly! I filled out every single field, submitted the form and went to bed. The next morning I had a pleasant surprise: my fourth Account Recovery request had been accepted.

In the end, it seems that the thief only stole the small amount of gold I had in the OSRS bank, plus a few other low-value items. They had attempted to remove my RuneScape 3 bank pin, but were unsuccessful since I recovered my account within a few days. Losing some gold is unfortunate, but I'm grateful to have the account back. It has a lot of sentimental value to me.

My RuneScape character
My RuneScape character

Theories

As we've seen, the Account Recovery form is quite long and detailed. How could somebody other than me possibly have enough details to steal my account through this form? After reading about the experiences of other players who found themselves in my situation, I have two theories.

First, as mentioned, my account is old. When I was younger and didn't know any better, I probably re-used these passwords on other sites - perhaps even including RuneScape fan sites. My accounts on RuneScape fan sites were sure to include my RuneScape account name, since these used to be the same as your character name. And if you knew the age of my earliest RuneScape fan site accounts, you could probably guess the age of my RuneScape account. So if the database of one of these old fan sites were leaked on the Internet, it might be possible to scrounge together enough information to successfully complete the Account Recovery form. But if this were the case, then I'd have thought my personal knowledge would have been enough to recover the account on my first attempt.

The second and more concerning possibility is that the thief knew the exact answers to each part of the Account Recovery form. In 2018, Jagex sacked an employee for "gross misuse of moderator priveleges". This employee allegedly used their access to customer data to steal from players through the Account Recovery system. I don't believe this particular person had anything to do with the theft of my account, but it appears that this scenario is a very real possibility. How can a rightful account owner's memory stack up against somebody who has access to all the answers needed for the Account Recovery form? Hopefully I'll never have to deal with this.

As for why my account was targeted, I really don't know. My best guess is the first theory—maybe somebody got their hands on an old fansite database, and has been gradually working through it to steal as much as possible. Some accounts as old as mine have exclusive and extremely valuable items like party hats. Unfortunately for me, my account has no valuable items whatsoever; no max-level skills; no achievements. It doesn't even have a sought-after character name (three-letter names are common hacking targets). My account is entirely unremarkable. This makes me suspect that the thief didn't know any better, and simply stole it in hopes that it might have something useful. Somebody with access to the RuneScape account database would have known not to waste their time!

Sample Account Recovery Response
A canned Account Recovery response

How to Protect Yourself

I'm relieved to have my account back, but what can you do to protect yours? Here are my recommendations.

Enable 2FA on both your RuneScape account and your email account—including any previous email accounts that you still hold onto. If somebody gets access to your present or past email accounts, they will have access to critical details needed for the Account Recovery form. Protect these carefully!

Use a bank pin. I thought this was unnecessary since I had 2FA enabled. Unfortunately, Jagex will simply remove 2FA if somebody hijacks your account through the Account Recovery system. However, they won't remove the bank pin! Using a bank pin will ensure that you have 3-7 days to recover your account before its bank can be raided. Don't forget that you need to set the bank pin individually in both OSRS and RuneScape 3.

Find out the age of your account, and write it down somewhere safe so that you can use it in future Account Recoveries. To do this, log into OSRS and talk to Hans in the Lumbridge Castle courtyard. He will tell you precisely how old your account is, in days. You can use this information to find out the date that your account was created.

Keep a record of your old passwords and payment receipts so that you can use them in future Account Recoveries.

Use Google Chrome when submitting your RuneScape Account Recovery form. I dislike Chrome, but it seems that the form doesn't work properly in Firefox.

Future

Incidentally, my account was stolen the day after Jagex announced sweeping improvements to account management and security. These changes are very welcome—if they had existed earlier, it wouldn't have been possible to steal my account like this. Hopefully Jagex follows through and gets them implemented by the end of the year.

There's also this little snippet hidden at the end of the page. Maybe we'll be able to get help from real support staff in the future?

Live Chat with Customer Service
Additionally, we are also investigating additional service enhancements. We are in the process of upgrading the Support Centre and will explore offering a form of live chat for some support queries to understand the challenges and benefits to players before we determine if this is something we can roll out to some or all players.
Do you have any thoughts or feedback? Let me know via email!