Insert your many gamers joke here:

And not a single announcement has been made on Gog. "Hey, quite frankly we don't give a shit, as usual, but at least you can buy Hunniepop 2 on Gog." - CD Project Red. Epically pwned. Lol.

Why would GOG make a statement? They are not CDPR.

At least we can buy HuniePop 2. Worth it!

Kinda like how some people got our hands on Nancy Pelosi's laptop during the raids. Surprise, nothing released. I'll bet we'll only have the damaging bit. Ignore the guy on the left, he's full of it.

On another note, looks like GOG is having trouble staying up. The bear's having trouble holding the world for the past hour.

I don't know... This looks alot like a generic one to me... I'm gonna go out on a limb here and say that someone goofed hard core and got a drive by on this one.
Says CDP, not CDPR. I also noticed some issues with the servers in the past few hours, too. Would not be surprised if this was a driveby and they got everything 'cause i feel like everything's stored in the same place.
Let me be blunt on 2FA:

1. They tend to let you know if you got in, by telling you to check your email.

2. Most people use the same passwords everywhere.

I had a few more, but they left my head. Stuff going on IRL, here, right now. If passwords are raincoats, then 2FA is wrapping your cellphone in tinfoil after putting it in airplane mode ('cause it may or may not hurt you).

Obfuscation is for suckers. Wait until you get your first malicious employee and you'll be done for. You need to protect from within as well as without. If your top level admins or senior data boys are out to get you, then its probably game over (those guys should be triple vetted), but anybody else should be manageable.

Otherwise, don't forget compartmentalising different parts of your system (putting a wall between the various parts of a city is not the same thing as just putting 3 outer walls). Ideally, different parts of the system should only have access to what they need to function and nothing more. It greatly mitigates losses when someone compromises something.

Also, you need good alerting (which hopefully won't get drowned out in a sea of noise). All the barriers in the world will only be momentary respite if you're not even aware that someone is trying to break in or has broken in and they have all the time in the world to do their thing.

I'd be lenient on this one. GOG is a medium-sized company and the security landscape is a clusterf*ck. Most places either don't have a dedicated security team or don't have one that is well integrated with the rest of the teams (ie, actually aware of what developers are doing on the ground).

Also, last time I checked, universities didn't really include security in their curriculum so its something graduates have to pick up afterwards on the job or in their own time. And then, you have a whole bunch of people who don't even have a formal education or some kind of certification that show they have at least a rudimentary grasp of sound software development principles (you can get mad coding skills and still be pretty ignorant of the underlying building blocks of software systems). I mean, you know that there is a problem when you take a good honest look at the number of junior, intermediate or even senior developers that don't even understand, abstractly without going into encryption details, how a certificate chain works.

Also, some people with genius-level intellect are spending all their time figuring out how to break into systems and not all of them are doing it as security professionals to report flaws. They will do clever mind-bogging things like do statistical inference to determine the approximate value of secret keys if the time to encrypt/decrypt is dependant on the value of the key or go through humongous codebases that a lot of real world systems depend on, patiently looking for that vulnerability that everybody else missed.

And to make it worst, you can't really test for that stuff, because most attack vectors involve interacting with the system in ways that would never occur normally under non-malicious usage.

Its a mean world out there and if putting something important in production doesn't terrify the living daylight out of someone, then they're probably not the right person to manage a production system. It is a beast.

You've made some serious considerations there, sir. Specially the part about how students are graduating with incomplete formation in a necessary area such as security.
I've read it patiently and pleasantly, as a studant myself, so, I thank you for the shared knowledge.

The problem with IntSec teams is that they're a lot like IT teams; they're best when they're invisible as that means all is well, which to idiot management teams & bean counters raises the question of, "What are we paying you for?" to which most engineers have trouble kneeling down to their semi-sentient simian counterparts to say in lay terms in a summarized cliff notes what they do.

But as many have repeatedly said in this thread, the weakest link isn't your firewall, but that receptionist who chews bubblegum on a phone call who gets socially engineered into letting someone past the gates who so happens to be carrying an outside USB stick.

And nobody thinks to manage the groups or wheel to prevent content not specifically from within the building from even being allowed to execute (though I'm not even sure Windows has such fine grain control, even with group policies because it's that backwards at times.)

I don't even work in InfoSec or IT and these are just some basic things that came to mind.

You nailed everything as if you do.

It would be nice, if only for informational matters, to know how the hack relates to GOG. Was anything from GOG taken, is anything or anyone at risk. Is there nothing to fear...etc.

Just something simple and quick to either put us at ease, or give us an alert to change things up if we need to.

You may not work in InfoSec, but you got it right indeed (hit the nail on the head, as they say). Not even the most secured software infrastructure can withstand social engineering attacks. Training people to have a security mindset is rarely done and most times a big part of the problem.

Maybe for the same reason for "to enter CDPR forum you need GOG account".
Yes, GOG is not CDPR, but they are from the same family of CDP so there could be some data share.
Even if GOG's users are safe, GOG should at least inform them that they are safe.

Hey, whatever makes you more interested in keeping your data secure.