Hmmm, for me it doesn't, it practically never kicks in as long as I use e.g. Chrome (which keeps the cookies; in Firefox I've set it to clear all cookies when exiting the browser), even though I sometimes use my mobile phone for the internet access, and sometimes the cable modem, on this same PC.

Maybe it is then more complicated, like that GOG does remember a few IP addresses you have used, and it kicks in only if you use a completely new IP address? I haven't tracked if I keep getting the same two IP addresses from my mobile phone and the cable modem each time.

Everyone who reports the problem indicates that the connection location comes from Brazil. And it's the same for everyone. It is an attempt of piracy.

I didn't mean you would be the only case. What I am saying that if someone really got hold of (all, or most) GOG user's login information due to some data breach on GOG, then the hell would break loose and we would see lots of similar reports.

Other people also report the problem with a connection from Brazil. So there is something.

Which is funny. I logged in from my tablet after deleting an reinstalling my browser. My cookies were lost from the uninstall, but no 2FA was triggered. I was concerned. I also logged in using a new browser. Steams 2FA triggered but GOG's didn't. And I definitely have it enabled on my account. It seems to be patchy at best.

I guess it is possible (I don't currently use Galaxy, not sure if Kollup or Ravensxw do either). However, considering how many Galaxy users there must be by now, again I think such generic "data breach" among Galaxy users would probably trigger far more reports.

I still think the most probable explanation at least for most cases is that some other site was breached (or even the purpose of that site was to collect people's email addresses and passwords), and some folks in Brazil are now going through those on various other sites, trying to catch cases where people have used the same password. It might be some old site where people have simply forgotten they have ever created an account, visited only once there.

But anything is possible, I guess. I am just thinking of the most probable explanations.

Interesting indeed. I get 2FA on GOG every time if I clear the cookies on Firefox and switch the internet connection from the cable modem to the mobile internet (or vice versa).

EDIT: And even more interesting that Wintersnowfall reports the opposite, ie. he/she gets the 2FA on GOG even if he has valid cookies, but the IP address merely changes. So now we have three completely different experiences on what triggers the GOG 2FA. :) Maybe it is then more complicated and "smarter" than I thought.

EDIT2: However, did your IP address change? Like I said before, merely clearing the cookies does not trigger 2FA, if your (public) IP address remains the same. If GOG was seeing the same public IP address from your tablet (or the router to which the tablet is connected?), then GOG wouldn't trigger 2FA, as far as I can tell.

I use Galaxy but rarely. And I do not use this password elsewhere. And people who report the problem indicate that the connection comes from Brazil. There is a problem somewhere.

Sorry for my english.

So as someone pointed out: do you use the Galaxy client, or have you used it before?

Here you are supposed to be able to check if you have used your username or email address on some other site/service whose database was breached:

https://haveibeenpwned.com/

I guess that site is not 100% foolproof, but apparently they try to track the known data breach cases. If GOG had had one, I'm sure it would be in the news in big bold letters soon enough.

Someone mentioned in the reddit discussion that CDPR forums would have had a data breach at some point, but I don't recall seeing news about that? Is it merely a rumour? EDIT: Or then it happened so long ago that it isn't relevant anymore...

Nexus mods, Dailymotion, Anti-public list...

EDIT: My friend dont use this. Nexus, Daylimotion...
The problem comes from the other side.

This happen me some time ago. I was from Russia. i don't use galaxy client. And since using just one personal computer and mobile, logging it's not so common. And despite that somehow the password has leaked out. I changed it then and and since that no one tried to log in.

Over night I, too, got the 2F email. My account was attempted to be accessed from Brazil also.

Is 2FA mandatory? Or can people opt out?

I'm running out the door but I saw this thread and wanted to mention that another poster here contacted me wondering if their account had been hacked as they were seeing things.

And a friendly reminder that we had someone here on the forums recently bragging about their hacking ability.

For disclosure, I came up thru the hacking community. I have not tried anything here outside of a check on the ssl certificate due to a thread a while back. The posting popup still has an unsecure image in it.

Just as an aside as this has come up before with my soccer moms and their *cough* wonderful experiences with AVG a few years back, make sure every so often you run a ***MANUAL*** update of both the software and the sig files. Trusting the automatic update and scan shouldn't be trusted with any software as we went thru a few months where that wasn't happening as their updating was broken and no one was getting any notice of such.

Ditto. I have to clear everything from the browser because of ISO requirements with a few corporate clients. I see the 2FA quite a lot although less recently. I'm usually coming here from a proxy at the office though, even if I'm elsewhere. The proxy may be retaining cookies which would be weird....

No. It's entirely optional but I would recommend you using it. Unless someone also has your email/phone you're pretty much secure. [Protonmail for the win!]

Since this is based on IP there should be allowed to deny login from certain regions.

Btw: By using VPN your IP often changes every login.

Of course I use it.

I am wondering if it is not mandatory, might a whole lot of users be hacked and not know it because they do not use 2FA.