Voted.....

Dammit, you got me. :P

Those hacked accounts are because of people's carelessness about their stuff.

Even 1000-steps won't help if someone infects their PC with malware or uses "123" passwords.

Meanwhile caring users will have additional hassle to go through.

Then why not at least make it optional like Steam Guard?

Signed! and what is your point? Maybe it would be beneficial for us smarter individuals!

And disabled by default.

But then result: careless people won't use that option as they aren't really caring. Waste of resources.

And having such things enabled by default is doing your caring customer a disservice. For as long as there are enough careless users and users with "123" passwords, hackers are satisfied and don't work on more elaborated hacking and phishing tools. Which on its own is beneficial.

Anyway, there is no need to seed panic. There will always be hacked accounts, because there will always be careless people and hackers, who will use opportunity to steal their accounts. Of course everyone can become victim of some inventive hackers, but it should be taken as lesson for future instead of being used as reason to add more hassle for others.

Agreed, but we should still have the option.

I just still find it really odd that we really didn't see these reports of stolen accounts until The Witcher 3 and Galaxy launched. I don't think it's asking too much to have the option of two-step to give some peace of mind.

It is better to have the option then not have it at all.

The wishlish item should be more detailed before I can vote for it. For instance:

- Overall, it should be optional.

- I have no interest to spread my personal phone number to all international stores and web sites, just for extra verification (since one of the suggestions was a SMS verification; I don't want to use one).

- More specifically, I am all for email and password changes triggering a verification to some email address, there it makes sense. However, the hotmail/Steam-like two-step verification when you are merely trying to access your account with a web browser abroad (or because the cookies are cleared) is a definite no-no to me. I always have big issues reading my Hotmail email abroad because of that stupid shit.

Instead of that, yes for a email notification (not verification) if my account is accessed from a new computer or abroad.

So in short: yes for two-step email verification for email and password changes, and notifying if the account is used in a new place/computer. No to everything else (can be optional, I don't care).

Voted a long time ago. Also it should be optional but default on.

I don't find it odd. There were probably lots of new GOG accounts created during The Witcher 3 launch, especially due to those NVidia codes. This also garnered attention among the hackers and people wanting to make extra money with stolen accounts. Hence, GOG became a big target, especially as they found out GOG doesn't have strict two-step verification like many other sites or services (like Steam),

I don't think it has anything to do with the Galaxy launch (which happened to take place at the same time). Some people who had not used Galaxy nor TW3 have also reported their account being hacked. The most probable explanation is using the same password/username combination somewhere else, or having some keylogger malware on your PC, like Windows 10.

Why? As long as it can be easily switched off, I say keep it enabled by default for new users so that there will be less hacked accounts _by default_.

But to me the important part is that there should be several options for the security, not simply a "have everything enabled" (even things that I personally find a true pain in the ass) or everything disabled.

As I said, I'd enable two-step verification for changing email address and password (and possibly some other user options, albeit I don't care that much if some hacker manages to change my avatar picture...), and enable GOG to notify me in email if the account is accessed on a new PC or country. Everything else disabled.

I'd still feel better with an option for two-step. I really don't want to have to wait for days for support (missing sales) and then pray I go through the steps correctly to get back control of my account.

Edit: And the greater attention from hackers from TW3 and Galaxy launch is exactly why gog needs two-step.