Runescape Dev Tracker
This thread was added on June 14, 2020, with posts from Shaunyowns, JagexJD, JagexPoerkie.
Multiple posts on Reddit recently have stated that a large influx of players have received password recovery emails (that they did not request themselves) stating their RSN inside of the email.
No word from Jagex on what has happened, whether it's a database leak or an other error on their side of things.
Please be safe and only reset your password via the RS home Page and NOT by clicking any links in any of the mails!
Based on what I've seen, this seems to only be affecting accounts with usernames only and not emails, hopefully we get an official confirmation on this.
EDIT: Worth editing to mention that in the time since I posted this initially it seems to also impact email login users as well, Jagex have an article up confirming their investigating here as well as /u/JagexJD's comment [here].(https://www.reddit.com/r/runescape/comments/h8i13r/possible_database_leak_at_jagex_stay_safe/fusi3ox/?context=3)
Hi guys - thanks for flagging. We're aware of the reports and are investigating.
EDIT, 18:15 BST:
Hi everyone. We're aware of a number of players receiving password reset emails overnight and are actively investigating the reason behind this at present. If you haven't submitted a password recovery request and have received an reset email from us, we'd ask that you please screenshot the email (subject line and all), and send it to [[email protected]](mailto:[email protected]), so we can use it to help the investigation. We would ask that in sending us your email confirmation, you do not upload screenshots to third-party sites, such as Imgur, for security reasons.
Whilst we're investigating (we don't have a timeframe at present, but we're working hard to make it as quick as possible), we'd like at this stage to assure players that an email and account both secured with two-factor authentication will protect your account the best, no matter what the scenario - you can set this up here.
We'll update you all when the investigation is concluded. Thanks for your cooperation!
There's a PSA on our Support page which we'll update if there are any changes.
Mod JD has already replied and we'd like to keep the messaging consistent.
how about instead of completely ignoring the issue and saying everything is okay np, you take active measures against this blatent issue by maybe considering reworking your account security/recovery systems, as they are very flawed
Edit: nvm you edited your message, glad you guys decided to look into it
My initial message also included lines to indicate that we're investigating but that might not have been extremely clear.
Mod JD has already replied and we'd like to keep the messaging consistent.
You did originally say that our accounts were safe and there was no breach but you appear to have edited your post entirely, any ideas why?