Earlier GOG switched it on for everyone, so it is enabled by default. One would have to deliberately switch if off to get rid of it. I think that was a good move because apparently there were lots of rarely used GOG accounts which got hijacked, and when the original owners later tried to access them again, they couldn't (email was changed etc.). So now everyone has the extra protection by default.

Considering how much talk there was earlier about those hijacked accounts (when 2FA wasn't enabled yet), I'd be surprised if masses of people switched it off, or then taking extra measures (like using a very strong password which they only use on GOG).

Even I started using 2FA at that point. The reason I didn't use it earlier was because I let Firefox clear all cookies on exit, and sometimes (when the IP address changed) that would trigger 2FA. As a workaround, I started using Chrome instead for all such sites where I want to keep the login cookies (like GOG.com and Humble Bundle), and I use Firefox for the rest.

I can just say I also got this email. I thought i was hacked totaly so I changed passwords on all mine main accaounts. So Emails, phone etc.

Also Brazil and looks like someone did it using VPN from some kind of Brazilian Company.

Change password just in case people. And use different one to other accouts.

While gog secure your site better ffs. people have credit cards saved here

Not having the website save your credit card information would probably be a plus as well.

Yeah that why I never save. And those who do save automatically I go and delete. I even double check this.


And i got this email 15min ago. So they didnt fix anything yet.

It doesn't. It uses some sort of token system (I don't remember the details), and it only saves that info if you tell it to (AFAIK, a customer can still choose to manually enter the card info every time).
In other words, even if you had your card info "saved" here, the worst that would happen is somebody could buy some GOG games as gift codes to flog on other sites -- and there are limits to the quantity of gift codes one can buy here at one time, as well.

What is GOG supposed to do, if your password was leaked from some other site where you have used the same password in the past? GOG already prevented the hijackers from taking over your account, with 2FA. Also I presume GOG is using CAPTCHA to prevent brute-force guessing of passwords online.

Not to say there probably aren't existing security vulnerabilities in GOG right now (like there are on lots of other sites too), but not necessarily something related to these verification emails.

And yeah I don't save my credit card info on GOG, or any other sites either for that matter. I have already learned my cc number etc. by heart.


EDIT: Did you say the Brazilian is still able to log in with your password, even though you recently changed it? If that is the case, go check in your GOG settings under "Login and security", if "Authorized sessions" => "Logout all" would help?

A list of last log ins on the account page would be helpful as well.

https://forums.cdprojektred.com/forum/en/the-witcher-series/news-aa/7248610-important-unauthorized-access-to-the-forums%E2%80%99-data

Someone may want to take a second and review which version of vBulletin they're running the Watcher forums on. Looks like they're running 5.2.5 while vBulletin is up at 5.3.1 now. It's annoying that vBulletin doesn't provide a public accessible version history.

I got an email from armor games the other day saying they had a breach a few years ago and the info now appeared to be publicly available, considering the possible overlap I'd say it would be a likely source of any details...

Not sure if there's anything you can do on your side with that info mind...

Sorry, I meant in general with any website. Replace the 'the' with 'any'.

Thanks. So apparently that happened before the GOG & CDPR forum merge (meaning pure GOG users were unaffected), and all the affected people were notified by email?

True, that would be nice. Maybe even log-in attempts (with wrong passwords).

Very much yes, login attempts with at least IP addresses and guessed locations would be very, very useful. Wrong passwords tried would be a neat bonus, allowing us to potentially guess where security breaches are coming from.

Had one e-mail 5 hours ago. Someone tried to login to my account too. From Egypt. I guess someone found out my password as two step verification code was sent. Contacted GOG support regarding this leak.

Got two mails from the Philippines

well a strange thing to report here

i saw this thread and the reddit thread linked somewhere about the recent foreign ip attempts of login in

i wanted you folks to know of something that is, in a way, reassuring:
i usually never used 2FA system on GOG so far; when they introduced it, i think it was opt-out at the very start. i disabled it from start; reactivated it manually once when i was visiting a friend who leaves near another country's boundary and who has internet access to another country's ISP, when i wanted to show him stuff on my gog account from my laptop i brought with me

then once back home, i disabled it again.

And i see today it's enabled again (so it was an action not from me...) Could GOG possibly decided to turn it on by default once they suspected some breach of any kind ? it is a good reaction, i would think... but i can be wrong (wrong that it was reactivated by GOG, and.or wrong it can be seen as a good thing)

TL;DR usually never use 2FA on GOG... Manualy disabled it twice, whenever it was activated by default. Last time i checked it was off, but whenever i checked today: it is enabled again.