Facepalm: Account hacking is the norm in the MMORPG genre, and players who fail to secure their accounts with two-factor authenticators often learn that the hard way. However, nothing could have protected several RuneScape players from recently losing wealth equivalent to around 100 billion in-game coins (which would sell for about $100,000 on a third-party website) at the hands of a rogue developer.
Although RuneScape has been around for well over a decade, the game is far from dead. Much like WoW, frequent content updates keep the player base hooked, and new players seem to join at a fairly regular pace.
As is the case with most popular MMOs, RuneScape also has an active third-party gold-selling community. Players will pay thousands of dollars for high-level accounts, in-game gold across Old School RuneScape (OSRS) or "RuneScape 3," and even power leveling services. For reference, 1 billion in-game coins are the equivalent of about $1,000 in real life.
Naturally, this sort of trading is against the game's terms of service, but that doesn't stop websites that facilitate that sort of trading from existing and thriving.
Given the real-world value of RuneScape's in-game currency, naturally, players with particularly large amounts of coins jealously guard their hordes against theft. They use tools like authenticators, security questions, and in-game bank pins to protect their accounts.
However, such protections are only effective against third-party attacks - what if an account hack comes directly from one of the game's developers?
In what RuneScape development studio Jagex calls a "gross misuse of moderator privileges," an employee named Jed Sanderson allegedly swiped "wealth and items" worth roughly 100 billion in-game coins from players, which equates to around $100,000 if sold on third-party websites.
This number comes from information obtained by ResetEra Administrator SweetNicole. According to mazrim, his personal losses account for about 45 billion coins, or 45 percent of the total wealth Sanderson reportedly made off with.
Though Jagex doesn't usually return player wealth after account hacks, they did so this time around, acknowledging that players can't be expected to protect their accounts from rogue developers.
As an off-and-on RuneScape player of almost 15 years myself, I'm pleased to see that Jagex handled the situation so well. They could have very easily refused to restore players' lost gold and items, as MMO developers often do.
However, I can't help but wonder how this happened in the first place. The fact that company employees can seemingly bypass even strong account protections like two-factor authentication is certainly concerning.
Regardless, the situation has mostly been resolved now. However, Jagex did issue the following update to their original statement (via PC Gamer) to squash rumors that players' banking and credit card information was also compromised:
Further to yesterday’s announcement, we can confirm that none of our players’ bank or card details were compromised. We work with an industry-respected, fully compliant third-party payment processor, to purposefully avoid staff having access to players’ full bank or card details. This also applies when players choose to save their details at payment stage for any future purchases. Jagex undergoes regular, third-party testing to ensure we maintain the highest security standards.
Naturally, Sanderson has since been terminated, and he likely won't be coming back any time soon.