My account was hijacked this morning and the account email was changed. This is with a unique password only used for my GoG account. I received an email to the original email account confirming the email address had been changed AFTER it had been changed. GoG why are you not confirming an email change via EMAIL before allowing an email change/update to go through? I have two-step verification on my email address, if I had gotten an email asking for permission to change my email address in my inbox then no one hijacks my account. Change the process for updating email addresses and please review my support ticket, as of right now I don't have ownership over my account.

Frustrated -

You and many other people are having the same problem, including myself. We're all still waiting for some information :/. Hopefully you will have better luck.

Sorry to hear it friend -

Email verification is an excellent idea!

Do write in 2 support abt this issue, u r not the only 1 experiencing this prob. All the best 2 recovering ur account. :)

I don't have an email.

I really don't understand why gog doesn't implements some sort of two factor authentication.

GOG should add 2-step carrier pidgeon verification.

Make it ravens and you're on.

Wonder if clicking a link in the original email notified to say "no this was not requested" to instantly change it back and then require a password change would help? It's time to break out the blood sample verification I tell ya. Ok maybe too extreme.

I'm very sorry to hear that, mate. Maybe I should strengthen up my password a bit! Can you describe to us how strong it was? (About how many characters long was it? Did you mix upper and lower characters? Digits or symbols?)

About email verification... well, it sounds perfectly obvious now. But, what if it was your email account that was hijacked? How would you then point your GOG account to the new one? You might never be able to fix that (unless you contacted tech support -- hmm, that might work...).

May I propose, lets say... delaying the change of email address for 24 or 48 hours? This does not sound like a big problem for a GOG user, and could help reduce this kind of account hijacking.

In this way, changing the email address would trigger an automatic email to your previous and new address, letting you know of the countdown and the change being made. This notice may trip the "cracked account" alarm sooner, as I expect people to pay more attention to their inbox than their GOG account (unless you are tinyE, but he seems to be an unique individual).

During this change period you would still be able to reset the GOG password, as the transition had not happened yet.

This would be ideal.

If your account is hijacked how would you be able to know?
Authy is a great 2 step verification program.

I'd like to know this as well. If anyone else who's had the same experience as the OP would chime in, all the better.