It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
wpegg: Thanks for answering, can I be a little indulgent and further ask - did you share the password with multiple sites? I'm getting a little bit selfish here because mine's a 6 - 7 but it doesn't seem to be compromised, but mine is unique to this site.

I completely understand if you don't want to answer this by the way, I know I'm being intrusive.
avatar
arturotuono: One other site but I was in the process of changing passwords so this sort of struck me just as I was about to do an overhaul.
Thanks for this info, it would probably be of use to GOG if they wanted it, but there appears to be radio silence.

One other site suggests that (unless it happened to be a site all other compromised accounts visited, which I feel unlikely) that this is a direct GOG vulnerability.
avatar
BKGaming: GOG doesn't store CC info, so unless you like had a virus on your PC already... I highly doubt is has anything to do with GOG or Galaxy.
avatar
Tallima: Right. So could Galaxy be opening up a vulnerability that people can use to put a keylogger or something on your PC. That's my best guess if CC info is being stolen as well as login info. Somehow Galaxy is allowing Russians to steal our info -- quite possibly. And that's not ok. I reformatted already, but I think I'll be uninstalling Galaxy until later. Things are just getting too weird with that program.
Just checked my card account and nothing funny on my end.

As much as it pains me to say this, I wouldn't recommend anyone use Galaxy or even have it installed until we know what's going on.
Post edited June 05, 2015 by haydenaurion
high rated
No, we are not aware of any such vulnerability or any data leak. We do monitor our login servers and there is no brute force attack happening either. Keep in mind however, that:
- there were different malware apps pretending to be GOG Galaxy (see here for example: https://blog.malwarebytes.org/fraud-scam/2015/05/look-out-for-pups-claiming-to-be-gog-galaxy-client/).
- we have right now a great (record) influx of new users registering on GOG with the release of The Witcher 3: Wild Hunt. Combined with the fact that many users are reactivating their accounts for the game and promo that they haven't accessed for long time, we have times more active users than ever before = obviously more reports like that.

As long as you use a password that is considered safe (not trivial to guess and not used in any other service with the same email address) and have your computer 100% free and safe from malware and keyloggers or similar apps, then there is no reason to be worried in our opinion.

If we will have any updates on this topic, we will update you.

avatar
Cyraxpt: Unless this hits the videogame media (or a big forum like neogaf) i don't think that we will hear an answer...
This topic is 6 hours old and today is bank holidays in Poland.

Also - this isn't any new topic - we're fully aware of it, and if we believed something was wrong, we would inform you...
Post edited June 05, 2015 by Destro
Thanks for letting us know.

So, if your account was hacked and contact information changed, for future reference whom should we contact? And what's the best procedure to set things right.

I've sent request to support (classed as "login issue") and received a receipt and sent private text to Firek, but I have yet to receive any solid response. Should I just sit tight and wait for the cavalry to arrive?

I've only been able to post because I'm still logged in on this computer and have not cleared cookies yet.

avatar
Destro: No, we are not aware of any such vulnerability or any data leak. We do monitor our login servers and there is no brute force attack happening either. Keep in mind however, that:
- there were different malware apps pretending to be GOG Galaxy (see here for example: https://blog.malwarebytes.org/fraud-scam/2015/05/look-out-for-pups-claiming-to-be-gog-galaxy-client/).
- we have right now a great (record) influx of new users registering on GOG with the release of The Witcher 3: Wild Hunt. Combined with the fact that many users are reactivating their accounts for the game and promo that they haven't accessed for long time, we have times more active users than ever before = obviously more reports like that.

As long as you use a password that is considered safe (not trivial to guess and not used in any other service with the same email address) and have your computer 100% free and safe from malware and keyloggers or similar apps, then there is no reason to be worried in our opinion.

If we will have any updates on this topic, we will update you.

avatar
Cyraxpt: Unless this hits the videogame media (or a big forum like neogaf) i don't think that we will hear an answer...
avatar
Destro: This topic is 6 hours old and today is bank holidays in Poland.

Also - this isn't any new topic - we're fully aware of it, and if we believed something was wrong, we would inform you...
avatar
arturotuono: 6-7, but it was a word but not in English.
If it's a word it's definitely not a 6-7 quality password, no matter what language it's from.
avatar
arturotuono: 6-7, but it was a word but not in English.
avatar
Zeyes: If it's a word it's definitely not a 6-7 quality password, no matter what language it's from.
I gave the scale, so lets not start a whole "what's a secure password" debate. He was answering me.
Post edited June 05, 2015 by wpegg
avatar
arturotuono: 6-7, but it was a word but not in English.
This is not a very good password, even if it was not in English... a password should consist of letters, numbers, and symbols preferably at a minimal of 8- 12 characters long, but the longer & more complex the better.

People trying to get passed passwords always start with common dictionary words, not to mention a good password cracking program will crack that in no time, because they start with basic words...
Post edited June 05, 2015 by BKGaming
avatar
Zeyes: If it's a word it's definitely not a 6-7 quality password, no matter what language it's from.
Ωτορυνολαρυγγολό& gamma;ος. Do check this for quality ;) Better yet, go with extra capitalization: ΩτοΡυνοΛαρυγγοΛό& gamma;ος.

Non English words have the extra benefit of accented letters, not to mention non Latin characters. If the application can accept unicode passwords, the complexity increases enormously.
avatar
Zeyes: If it's a word it's definitely not a 6-7 quality password, no matter what language it's from.
avatar
wpegg: I gave the scale, so lets not start a whole "what's a secure password" debate. He was answering me.
Does not matter, if he wants to keep this from happening again... he should be told this stuff.
avatar
BKGaming: a password should consist of letters, numbers, and symbols preferably at a minimal of 8- 12 characters long, but the longer the better.
To quote Intel, "Compl3xity_<_Length"
avatar
Zeyes: If it's a word it's definitely not a 6-7 quality password, no matter what language it's from.
avatar
wpegg: I gave the scale, so lets not start a whole "what's a secure password" debate. He was answering me.
I'm saying that in the context of the scale you provided, I found his response self-contradictory. You outlined 6-7 as a reasonably strong password, but the description he gave is of a password that's probably anything but safe. Dictionary attacks are computationally cheap, going beyond English is trivial.
avatar
BKGaming: a password should consist of letters, numbers, and symbols preferably at a minimal of 8- 12 characters long, but the longer the better.
avatar
JMich: To quote Intel, "Compl3xity_<_Length"
Meh I prefer both complexity and length. :P
avatar
wpegg: I gave the scale, so lets not start a whole "what's a secure password" debate. He was answering me.
avatar
BKGaming: Does not matter, if he wants to keep this from happening again... he should be told this stuff.
Perhaps, but this victim was co-operatively sharing information with us that is very useful to ascertaining what is actually going on here. So while maybe it is "for his own good", you have to take the information in the context it was offered. Would you tell a hit and run victim that just described a bmw to say, "don't cross while a bmw is coming".
avatar
arturotuono: 6-7, but it was a word but not in English.
Then it's technically more like 1-3 based on that scale, because if it's an actual word then it's in a dictionary and vulnerable. English word or not.

avatar
wpegg: One other site suggests that (unless it happened to be a site all other compromised accounts visited, which I feel unlikely) that this is a direct GOG vulnerability.
Not really, it suggests an easily guessable password.

avatar
Destro: - there were different malware apps pretending to be GOG Galaxy (see here for example: https://blog.malwarebytes.org/fraud-scam/2015/05/look-out-for-pups-claiming-to-be-gog-galaxy-client/).
... oh my god, why do people still not download things from their proper source? I mean, why download the GoG Galaxy client from GoG directly, when you can download it from some random sketchy website completely unaffiliated with GoG because they're never infected with malware, am I right?

Ugh! Seriously, this shouldn't even need a warning, this should be common-freaking-sense.

[edit]
avatar
JMich: To quote Intel, "Compl3xity_<_Length"
While true that a short complex password is easier to brute force than a long phrase of standard words, there are far too many websites that don't let you have very long passwords making passphrases next to useless. Which is why I use a password manager to randomly generate long passwords. I get complexity and I tailor the length to whatever the longest the website will allow.

avatar
wpegg: Would you tell a hit and run victim that just described a bmw to say, "don't cross while a bmw is coming".
Yes. Actually. If the victim was crossing the street into oncoming traffic, that was a very stupid thing to do. It's better to learn your lessons and why something happened. It's the only way to not make the same mistakes again in the future.

"You got hit by a bmw because you crossed the street while a bmw was coming towards you. Don't do that again and you won't likely be hit by another car in the future."

"Your account got compromised because you used a dictionary word for a password, regardless whether it was an English dictionary, don't do that again and you won't likely be compromised in the future."
Post edited June 05, 2015 by darkwolf777
avatar
JMich: To quote Intel, "Compl3xity_<_Length"
avatar
BKGaming: Meh I prefer both complexity and length. :P
True, assuming you can recall said password (or use a password manager).