Thanks for this info, it would probably be of use to GOG if they wanted it, but there appears to be radio silence.

One other site suggests that (unless it happened to be a site all other compromised accounts visited, which I feel unlikely) that this is a direct GOG vulnerability.

Just checked my card account and nothing funny on my end.

As much as it pains me to say this, I wouldn't recommend anyone use Galaxy or even have it installed until we know what's going on.

Thanks for letting us know.

So, if your account was hacked and contact information changed, for future reference whom should we contact? And what's the best procedure to set things right.

I've sent request to support (classed as "login issue") and received a receipt and sent private text to Firek, but I have yet to receive any solid response. Should I just sit tight and wait for the cavalry to arrive?

I've only been able to post because I'm still logged in on this computer and have not cleared cookies yet.

If it's a word it's definitely not a 6-7 quality password, no matter what language it's from.

I gave the scale, so lets not start a whole "what's a secure password" debate. He was answering me.

This is not a very good password, even if it was not in English... a password should consist of letters, numbers, and symbols preferably at a minimal of 8- 12 characters long, but the longer & more complex the better.

People trying to get passed passwords always start with common dictionary words, not to mention a good password cracking program will crack that in no time, because they start with basic words...

Ωτορυνολαρυγγολό& gamma;ος. Do check this for quality ;) Better yet, go with extra capitalization: ΩτοΡυνοΛαρυγγοΛό& gamma;ος.

Non English words have the extra benefit of accented letters, not to mention non Latin characters. If the application can accept unicode passwords, the complexity increases enormously.

Does not matter, if he wants to keep this from happening again... he should be told this stuff.

To quote Intel, "Compl3xity_<_Length"

I'm saying that in the context of the scale you provided, I found his response self-contradictory. You outlined 6-7 as a reasonably strong password, but the description he gave is of a password that's probably anything but safe. Dictionary attacks are computationally cheap, going beyond English is trivial.

Perhaps, but this victim was co-operatively sharing information with us that is very useful to ascertaining what is actually going on here. So while maybe it is "for his own good", you have to take the information in the context it was offered. Would you tell a hit and run victim that just described a bmw to say, "don't cross while a bmw is coming".

Then it's technically more like 1-3 based on that scale, because if it's an actual word then it's in a dictionary and vulnerable. English word or not.

Not really, it suggests an easily guessable password.

... oh my god, why do people still not download things from their proper source? I mean, why download the GoG Galaxy client from GoG directly, when you can download it from some random sketchy website completely unaffiliated with GoG because they're never infected with malware, am I right?

Ugh! Seriously, this shouldn't even need a warning, this should be common-freaking-sense.

[edit] While true that a short complex password is easier to brute force than a long phrase of standard words, there are far too many websites that don't let you have very long passwords making passphrases next to useless. Which is why I use a password manager to randomly generate long passwords. I get complexity and I tailor the length to whatever the longest the website will allow.

Yes. Actually. If the victim was crossing the street into oncoming traffic, that was a very stupid thing to do. It's better to learn your lessons and why something happened. It's the only way to not make the same mistakes again in the future.

"You got hit by a bmw because you crossed the street while a bmw was coming towards you. Don't do that again and you won't likely be hit by another car in the future."

"Your account got compromised because you used a dictionary word for a password, regardless whether it was an English dictionary, don't do that again and you won't likely be compromised in the future."

True, assuming you can recall said password (or use a password manager).