Myself and several other users have received emails from Jagex:



As you can see I have recieved two myself, I'm curious as to exactly how many other users have been affected.

__________________
Runevillage member #46

I got one too, as did Twobit. Unsure what is happening, but as long as they don't get in, I'm happy.

__________________

*sets recoveries and email*

__________________

I just checked i got one too, good job the MSN password is unique to any other password i have. Or is it.

__________________



There are 10 types of people in the world, the ones that understand binary, and the ones that don't.

Thanks Lou for the help with the avatar.

Too late, stolen your account already. <3

__________________

It's no coincidence that a noob posted here the other day wondering why he couldn't access user profiles.

__________________

Struggle is Nature's way of strengthening it.

I keep getting logged out of RV when I try to open the page despite having it set to log me in automatically. And then I have to do the stupid captcha thing every time. So yeah, something is going on. I havn't had that E-mail.

Someone captured the username option on account profiles it seems like and is running a cracker on the list, so yea nothing we can do now to stop it, just hope you dont have a dictionary or other easy pass and change it now.

__________________

Priest of Saradomin as of Thu Feb 16, 2006 8:46 am
I'm the 465th person to get 1000th posts!

Yeah, I got one as well

__________________

And how exactly does one's username allow access to their password? Security doesn't work that way; if you mean trying to brute-force passwords, the server isn't going to allow very many requests before it starts requesting CAPTCHAs. The only attack vectors here are using easily guessable passwords or using the same password on a compromised site that doesn't secure its passwords. The forum software here uses per-user salting with several layers of MD5 hashing to slow down the process and make it unfeasible to brute force, if I recall.

(Not that you shouldn't change your password if it's overly simple, though.)

lurn2crack

you use https proxys, which you can easily find large lists of them online. The program works like this, it has a username list, password list, proxy list, it starts on proxy #1 and goes to username #1 with pass #1 and it then goes down list of passes, after it reaches end of the pass list it goes down to the next username, if the program encounters a captcha is switches proxy. Eventually when you run out of proxys the first one has been past the hour security thingy for logging in or however long it is and it starts over, any succesful logins are recorded.

__________________

Priest of Saradomin as of Thu Feb 16, 2006 8:46 am
I'm the 465th person to get 1000th posts!

After 2 incorrect attempts at logging in on an account on RuneVillage, the board requires the completion of a CAPTCHA indeed. To counter-act against proxies and automated bot-farms, the CAPTCHA will always need to be filled in when you try to log in, even if you weren't the one who failed to login twice.

It's annoying, but it's the only efficient way to deter password guessing.

Also, Fire_Adept is right about the MD5 hashing and salting.

We've been making it as hard as possible to harvest nicknames by making the userlist unavailable for newly registered users. But there are only so many things that you can do against it all since we don't want to break the feature itself either.

Greetings,
Glodenox

__________________
XML, SOAP, XSLT, JavaScript, SQL, Java, CSS, PHP, Scheme, JSP, C#, ASP.NET, VB.NET, PL/SQL, Visual Basic 6.0, C/AL and C (sorted well to less known).

Yeah last week I tried to login and it said I maxed out on login attempts...

__________________


Painting by mousersix.

i had my rs, email, and rv accounts hacked into just a 2 days ago, everything is good now, but something fishy is going on

__________________

Learn how rs works, you can only have 6 failed login attempts before you cannot try again for 5 minutes, this is based per account, not per ip. Thats 7200 password attempts per day, there are over 250000 words in the english dictionary alone, even brute force could take days/weeks/months to guess even an easy password, which I hope no-one uses anymore.

__________________
Runevillage member #46

Someone tried to hack into my RV account and failed, certain problems arosse (sp?) for me, but now it is sorted.

Much Love Glodenox <3

__________________



There are 10 types of people in the world, the ones that understand binary, and the ones that don't.

Thanks Lou for the help with the avatar.

Well I apologize, in the past it was not based on account, but per IP.

__________________

Priest of Saradomin as of Thu Feb 16, 2006 8:46 am
I'm the 465th person to get 1000th posts!

That's creepy. I haven't gotten anything from Jagex, and nothing on my RV account either, although several months ago I had to fill in a Captcha a few days in a row, now that I think about it.

I do use the same password for a lot of trivial things, though (though my RS and RV passwords are unique to themselves.) Ever since XKCD posted this comic, I've made sure the important passwords (like banks and stuff) are unique. It's scary but true!

__________________


.

.Legendary themed months are back! Maybe.

!!!!!!!!!!!!!!!!!!!!!!!!

Only thing i can think that we all definately came into contact with was the RS Radio . But i doubt it's that alot.

__________________



There are 10 types of people in the world, the ones that understand binary, and the ones that don't.

Thanks Lou for the help with the avatar.

Never trusted those guys.

__________________

Struggle is Nature's way of strengthening it.