Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

Sign up now!

OSRS Looks like my botting is over. Got hacked. How?

Joined
Mar 15, 2017
Messages
11
Logged in this morning and discovered I was in Lumbridge. Bunch of weird things in my inventory. Checked my bank and my gold is gone.


Runemate is the only program I've downloaded regarding runescape. I'm an I.T. professional, so I'd like to assume that I have enough know-how to not get hacked. It's a password I've used nowhere else so I can't be side-swiped if another. It's a 16-character long password, so I doubt in my month and a half of runescape someone's been brute-forcing my account. With all of this, I shouldn't need two-step authentication if I don't give anyone the chance to actually get into my account. Guess I did.

List of bots used:
AIOCannonballs
Alpha Agility
Awesome Mining
Awesome Motherlode
BTWoodcutter Pro
Celestial Fletcher
Divine Herblore Pro
Galaxy Runecrafter
Guru Blast Furnace
Maxicooker Pro
Maxifisher
Maxifletcher PRo
MaxiThiever
MaxiWoodcutter Pro
Open Fighter
Prime Fishing
Prime Rock Crabs
Quality Smither
Quality Smither LITE
QVE SPinner V2
RegalFires


Deuces. Can't trust the botting community. I've got 8.21 in my wallet that'll just sit there.
 
¯\_(ツ)_/¯
Joined
Jun 23, 2015
Messages
166
HfjUJnU.jpg
 
I've been called a god before.
Joined
Aug 5, 2014
Messages
3,212
Logged in this morning and discovered I was in Lumbridge. Bunch of weird things in my inventory. Checked my bank and my gold is gone.


Runemate is the only program I've downloaded regarding runescape. I'm an I.T. professional, so I'd like to assume that I have enough know-how to not get hacked. It's a password I've used nowhere else so I can't be side-swiped if another. It's a 16-character long password, so I doubt in my month and a half of runescape someone's been brute-forcing my account. With all of this, I shouldn't need two-step authentication if I don't give anyone the chance to actually get into my account. Guess I did.

List of bots used:
AIOCannonballs
Alpha Agility
Awesome Mining
Awesome Motherlode
BTWoodcutter Pro
Celestial Fletcher
Divine Herblore Pro
Galaxy Runecrafter
Guru Blast Furnace
Maxicooker Pro
Maxifisher
Maxifletcher PRo
MaxiThiever
MaxiWoodcutter Pro
Open Fighter
Prime Fishing
Prime Rock Crabs
Quality Smither
Quality Smither LITE
QVE SPinner V2
RegalFires


Deuces. Can't trust the botting community. I've got 8.21 in my wallet that'll just sit there.
Yeah my smither took it.
 
Joined
Mar 15, 2017
Messages
11
Those two quotes don't add up lol
Two-step authentication is an additional layer of security in case an attacker aquires your password.
It's so Susie-Joe can't overhear you tell someone your password over the phone and then put it in. There's the second step.
If they never aquire your password, you don't have a problem.

The Runemate client is the only place that has my password saved.
Hacking isn't some magical thing that happens. I want to know who, aside from Runemate, got my password. That's my logic.
I'm trying to peg another source outside of Runemate, but there's no other vulnerability that I can clearly see. Unless the low-quality posts on the 2007scape reddit has a secret RAT embedded, I'm genuinely curious.

I botted 'cause I stopped having fun in RS with the grind. Botting was neat 'cause I saw numbers go up. It's not the end of the world. I don't regret my time doing it and do not request a refund of any sorts.

Now I'm just curious on what could have possibly happend so I can avoid that in the future when I get the itch to continue.
 
Yeah my smither took it.

I tend to rule out anyone that frequents the forum :p
That and I think I used it the least of them all (though length wouldn't correlate chance). I think you got a dime out of me :(
 
I've been called a god before.
Joined
Aug 5, 2014
Messages
3,212
Two-step authentication is an additional layer of security in case an attacker aquires your password.
It's so Susie-Joe can't overhear you tell someone your password over the phone and then put it in. There's the second step.
If they never aquire your password, you don't have a problem.

The Runemate client is the only place that has my password saved.
Hacking isn't some magical thing that happens. I want to know who, aside from Runemate, got my password. That's my logic.
I'm trying to peg another source outside of Runemate, but there's no other vulnerability that I can clearly see. Unless the low-quality posts on the 2007scape reddit has a secret RAT embedded, I'm genuinely curious.

I botted 'cause I stopped having fun in RS with the grind. Botting was neat 'cause I saw numbers go up. It's not the end of the world. I don't regret my time doing it and do not request a refund of any sorts.

Now I'm just curious on what could have possibly happend so I can avoid that in the future when I get the itch to continue.
 


I tend to rule out anyone that frequents the forum :p
That and I think I used it the least of them all (though length wouldn't correlate chance). I think you got a dime out of me :(
Bot authors do not have any kind of access to your information except forum username.
Its either you logged in an open unsecured network, someone keylogged your computer or someone you know saw your password.

RuneMate has nothing to do with it.
 
Java Warlord
Joined
Nov 17, 2014
Messages
4,906
Two-step authentication is an additional layer of security in case an attacker aquires your password.
It's so Susie-Joe can't overhear you tell someone your password over the phone and then put it in. There's the second step.
If they never aquire your password, you don't have a problem.

The Runemate client is the only place that has my password saved.
Hacking isn't some magical thing that happens. I want to know who, aside from Runemate, got my password. That's my logic.
I'm trying to peg another source outside of Runemate, but there's no other vulnerability that I can clearly see. Unless the low-quality posts on the 2007scape reddit has a secret RAT embedded, I'm genuinely curious.

I botted 'cause I stopped having fun in RS with the grind. Botting was neat 'cause I saw numbers go up. It's not the end of the world. I don't regret my time doing it and do not request a refund of any sorts.

Now I'm just curious on what could have possibly happend so I can avoid that in the future when I get the itch to continue.
 


I tend to rule out anyone that frequents the forum :p
That and I think I used it the least of them all (though length wouldn't correlate chance). I think you got a dime out of me :(
Bot authors can't just read your password, and neither can the admins.
IF runemate had anything to do with it, then your runemate account got hijacked and used to login to the runescape client with your rs account.
Although there are several security measures runemate uses and offering you (such as 2 factor authentication ;) ) which prevents that from happening.

Also there are more than 1 way to get your password, we had so many cases like you who claimed runemate hacked their account for a few peanuts, which turnt out completely differently.
 
Joined
Mar 15, 2017
Messages
11
Bot authors can't just read your password, and neither can the admins.
IF runemate had anything to do with it, then your runemate account got hijacked and used to login to the runescape client with your rs account.
Although there are several security measures runemate uses and offering you (such as 2 factor authentication ;) ) which prevents that from happening.

Also there are more than 1 way to get your password, we had so many cases like you who claimed runemate hacked their account for a few peanuts, which turnt out completely differently.


I can understand that and I'd hope that layer of security would be implemented. What's boggling is how it happened, then. From my end, there's no way my password leaked out. I don't care about others because I'm not others. Let others show me their certifications and I'll lump myself in with them. From Runemate's end, there should be no way my password was seen.

There's a lot of ways to get someone's password, you're absolutely right.
But I have to consider:

I had all of 4 mil in the bank. I'm nothing worth targeting so no one was trying to get into MY account. If I didn't give my password to anyone nefarious, then I was in a list of sorts, they logged in and took the easy cash stack (had nothing else of value) and vanished. But that'd require me giving my password to a big password collector.

It doesn't make a lot of sense. The only way it makes "sense" is finger-pointing.
I'd like some guesses on how it could possibly have happened, bearing in mind a security background.
 
Fire caper
Joined
May 19, 2015
Messages
296
I bet that you won't get anywhere with this discussion.
The lesson you learned here was that you should always use two-step authentication rather than password only.
 
Java Warlord
Joined
Nov 17, 2014
Messages
4,906
I can understand that and I'd hope that layer of security would be implemented. What's boggling is how it happened, then. From my end, there's no way my password leaked out. I don't care about others because I'm not others. Let others show me their certifications and I'll lump myself in with them. From Runemate's end, there should be no way my password was seen.

There's a lot of ways to get someone's password, you're absolutely right.
But I have to consider:

I had all of 4 mil in the bank. I'm nothing worth targeting so no one was trying to get into MY account. If I didn't give my password to anyone nefarious, then I was in a list of sorts, they logged in and took the easy cash stack (had nothing else of value) and vanished. But that'd require me giving my password to a big password collector.

It doesn't make a lot of sense. The only way it makes "sense" is finger-pointing.
I'd like some guesses on how it could possibly have happened, bearing in mind a security background.
I agree that it seems kinda shady that runemate requires you to enter account data in order to bot, but then again, you can just provide false credentials and just go without the automatic login handler.

Prior, some user's siblings were the ones who stole the gp, that's just one example of how some people just suspect the wrong parties (I could search the thread with this if you want me to).

The hacker may have gotten your runemate password by cross-referencing a leaked userbase on another site where you use the same password or something like that, such things have happened before.
But like i said, both runemate and runescape offer 2FA for those very cases, imo everybody should use those measures.
 
Joined
Mar 15, 2017
Messages
11
I agree that it seems kinda shady that runemate requires you to enter account data in order to bot, but then again, you can just provide false credentials and just go without the automatic login handler.

Prior, some user's siblings were the ones who stole the gp, that's just one example of how some people just suspect the wrong parties (I could search the thread with this if you want me to).

The hacker may have gotten your runemate password by cross-referencing a leaked userbase on another site where you use the same password or something like that, such things have happened before.
But like i said, both runemate and runescape offer 2FA for those very cases, imo everybody should use those measures.

You're quite right. My account is still unbanned, so at least I didn't bot stupidly. Still have all those nice stats. I can blast furnace my way back to my lofty rich-man status of 4 mil. I'll come back in a few months and give it a go. Better change my runemate password though so they don't steal all 8 of my dollars by the time I feel like playing again.

I tried my best not to sound like a whiny child while posing security questions; I'm not sure I was all that successful :oops:

Thanks everyone.
 
Java Warlord
Joined
Nov 17, 2014
Messages
4,906
You're quite right. My account is still unbanned, so at least I didn't bot stupidly. Still have all those nice stats. I can blast furnace my way back to my lofty rich-man status of 4 mil. I'll come back in a few months and give it a go. Better change my runemate password though so they don't steal all 8 of my dollars by the time I feel like playing again.

I tried my best not to sound like a whiny child while posing security questions; I'm not sure I was all that successful :oops:

Thanks everyone.
Oh don't worry, your arguments were all justified, glad we settled this without escalating :)
 
Client Developer
Joined
Oct 12, 2015
Messages
3,760
RuneMate doesn't have access to your account details, they're all encrypted client-side before being shipped to us.

The only way RuneMate can possibly be involved is if your RuneMate account was compromised (so having someone have access to the email address with the 2FA associated with it) and they used RuneMate to log into your accounts. This, however, does not appear to be the case as you have no associated IPs on your account.

I've seen these threads numerous times in the past and in every instance the poster has always found themselves to be at fault.
 
RuneMate Staff
Joined
Oct 2, 2015
Messages
3,224
RuneMate doesn't have access to your account details, they're all encrypted client-side before being shipped to us.

The only way RuneMate can possibly be involved is if your RuneMate account was compromised (so having someone have access to the email address with the 2FA associated with it) and they used RuneMate to log into your accounts. This, however, does not appear to be the case as you have no associated IPs on your account.

I've seen these threads numerous times in the past and in every instance the poster has always found themselves to be at fault.

Furthermore, there is no way we would risk our reputation over hacking one person's account.
 
Discord: https://discord.gg/VPzHwCm
Joined
Oct 28, 2015
Messages
404
Has happened to me. Implemented an authenticator and haven't had problems since.
 
Noticeably F.A.T.
Joined
Jan 23, 2017
Messages
370
I'm having a similar issue.
I woke up this morning, and my sister was gone.
I checked logs from my bots.

List of bots used:
Alpha Agility
Alpha Fighter
Guru Blast Furance
MaxiThiever
Divine Magics
RegalAbyss
RegalFires

My sister is an I.T professional and doesn't deserved to be kidnapped.
Shame in runemate
 
Joined
Mar 15, 2017
Messages
11
RuneMate doesn't have access to your account details, they're all encrypted client-side before being shipped to us.

The only way RuneMate can possibly be involved is if your RuneMate account was compromised (so having someone have access to the email address with the 2FA associated with it) and they used RuneMate to log into your accounts. This, however, does not appear to be the case as you have no associated IPs on your account.

I've seen these threads numerous times in the past and in every instance the poster has always found themselves to be at fault.

Thank you. That's reassuring when I get back into it. Not completely, as I don't quite trust something to be bulletproof but I doubt an individual would expend resources to crack into Runemate like that. I got an email alert about my Twitter account from years ago being logged into, so it's looking like a side-swipe attack. Until I got confirmation of how Runemate stores the cached credentials, I couldn't rule it out. I still haven't ruled it out, but there are many other things that are much, much likelier.

Furthermore, there is no way we would risk our reputation over hacking one person's account.

This looks to be a tighter-knit community. It'd be pretty easy to discredit someone who's new and not risk reputation. I did not have knowledge of the pre-encryption and that authors do not receive any credentials. That's my mistake for the statement without research.

I'm having a similar issue.
I woke up this morning, and my sister was gone.
I checked logs from my bots.

List of bots used:
Alpha Agility
Alpha Fighter
Guru Blast Furance
MaxiThiever
Divine Magics
RegalAbyss
RegalFires

My sister is an I.T professional and doesn't deserved to be kidnapped.
Shame in runemate

No need to hijack this thread. Go make your own.
On an unrelated note: What T.V. show makes her shut up?
 
Noticeably F.A.T.
Joined
Jan 23, 2017
Messages
370
Thank you. That's reassuring when I get back into it. Not completely, as I don't quite trust something to be bulletproof but I doubt an individual would expend resources to crack into Runemate like that. I got an email alert about my Twitter account from years ago being logged into, so it's looking like a side-swipe attack. Until I got confirmation of how Runemate stores the cached credentials, I couldn't rule it out. I still haven't ruled it out, but there are many other things that are much, much likelier.



This looks to be a tighter-knit community. It'd be pretty easy to discredit someone who's new and not risk reputation. I did not have knowledge of the pre-encryption and that authors do not receive any credentials. That's my mistake for the statement without research.



No need to hijack this thread. Go make your own.
On an unrelated note: What T.V. show makes her shut up?

That's a trick question. That can't happen.
 
Top