It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Yesterday morning I have received one of those emails you never want to receive:

no-reply@gog.com

"Hi XXX, your e-mail address was changed

This is a confirmation, that the email address associated with your GOG.com account XXX (rostilovka88@gmail.com) was successfully changed. Below you will find the details of this operation:
New email address: rostilovka88@gmail.com
Previous email address: xxxx@xxx.xxx
IP Address: 95.81.223.143
OS: Windows 8.1
Browser: Yandex Browser 15.4.2272
Estimated location: Novocheboksarsk, Russia"

Watch out guys there is a security breach somewhere.
Looking for my account back and for a two steps authentification method.
Post edited June 19, 2015 by Ciris
No posts in this topic were marked as the solution yet. If you can help, add your reply
high rated
avatar
cavaler-2: Yesterday morning I have received one of those emails you never want to receive:

no-reply@gog.com

"Hi XXX, your e-mail address was changed

This is a confirmation, that the email address associated with your GOG.com account XXX (rostilovka88@gmail.com) was successfully changed. Below you will find the details of this operation:
New email address: rostilovka88@gmail.com
Previous email address: xxxx@xxx.xxx
IP Address: 95.81.223.143
OS: Windows 8.1
Browser: Yandex Browser 15.4.2272
Estimated location: Novocheboksarsk, Russia"

Watch out guys there is a security breach somewhere.
Looking for my account back and for a two steps authentification method.
Hi!

First off, I'd like to apologise to all who have experienced account hacking on our site over the past couple of days. We're hard at work to make this less of an issue and less likely to happen - but I understand how frustrating it must be to lose access to your games.

Having said that, there's a new measure that will help us pick up on hacked accounts more easily.

If your account e-mail changes, you will get an automated message.

It that looks like this and has the new e-mail address, the old one, the IP currently in use (together with estimated location), and the OS and browser of the current user.

If you get such a message and it wasn't you who changed the email address, contact us.

Use the link at the end of the message ("contact our support team") to let us know it happened. You'll be redirected to our contact form - here's an example of how to fill that in.

We do our best to get back to hacked account emails as soon as possible, and to change the e-mail addresses as quickly as we can and restore the fully functional accounts to their rightful users.

IMPORTANT:

1) When contacting us regarding a hacked account, you must replace the e-mail address with one you have access to - otherwise, our reply will end up at the hacker's e-mail address, which you have no control over or access to.

2) Please do not send multiple requests to support - if you do, your request is pushed to the back of the queue again. If you feel the need to add more details to your support request without getting bumped back, you can do so by replying to the automated support reply you will get with your Ticket ID.

3) As soon as you get access to your account back, please change your password. It may be a simple thing, but please don't forget. It will mean the hacker once more lost access to your account for sure.

[edit]: bumped this to be the 2nd reply in the topic so it's easier to find for others with a similar problem, re-bumped the original post to the top to remain above the reply.
Post edited June 19, 2015 by Ciris
avatar
cogadh: You aren't going to lose any of your games ... nothing is at risk.
Well, any unredeemed gift codes can be easily redeemed by the hijacker ...
Post edited June 19, 2015 by mobutu
avatar
Firebrand9: Because the javascript is exposed and you can view exactly what it's doing. Not to mention, how will they know which site the password may be associated with. You know, basic critical thinking.
That's very wrong. You have no clue what it can be doing on the server side. Unless you analyzed that whole JavaScript and made sure no requests to the server are made. And I said, if there are - you are sending your password in the clear text (no encryption). So anyone on the long way to the server can see it. I don't think you want that.

There are whole databases of various passwords which suck in all kind of stuff for bruteforcing. So, use good judgement how to avoid such pitfalls.
Post edited June 19, 2015 by shmerl
avatar
Firebrand9: Because the javascript is exposed and you can view exactly what it's doing. Not to mention, how will they know which site the password may be associated with. You know, basic critical thinking.
avatar
shmerl: That's very wrong. You have no clue what it can be doing on the server side. And I said, you are sending your password in the clear text (no encryption). So anyone on the long way to the server can see it. I don't think you want that.
I haven't looked at the site, but if it's all done in Javascript, nothing is sent to the server (again, looking at the Javascript will confirm whether or not this is true - that does, however, require some knowledge of Javascript which likely only a minority of the people using the site has).
Post edited June 19, 2015 by Maighstir
avatar
cogadh: You aren't going to lose any of your games ... nothing is at risk.
avatar
mobutu: Well, any unredeemed gift codes can be redeemed easily by the hijacker ...
GOG can just revert those codes. If a hijacker takes over an account with pending gift codes, then they only have a few options: redeem the codes on that stolen account, redeem them with a second account they own, or give them away/sell them to some other user. Either way, GOG can see who had the codes and who redeemed them, then revoke/fix them as needed. Still nothing at all at risk.
avatar
shmerl: That's very wrong. You have no clue what it can be doing on the server side. And I said, you are sending your password in the clear text (no encryption). So anyone on the long way to the server can see it. I don't think you want that.
No it's not. I did web development for years. It's called follow the source.

Even assuming (engaging this conspiracy theory) they have a background process storing it, how will they know which site it's associated with? That alone renders your argument invalid (post hoc fallacy).
avatar
shmerl: That's very wrong. You have no clue what it can be doing on the server side. And I said, you are sending your password in the clear text (no encryption). So anyone on the long way to the server can see it. I don't think you want that.
avatar
Maighstir: I haven't looked at the site, but if it's all done in Javascript, nothing is sent to the server (again, looking at the Javascript will confirm whether or not this is true - that does, however, require enough knowledge of Javascript which likely only a minority of the people using the site has).
Yes, it can be doing it all on the client side, but without good audit, I wouldn't trust any such thing. And why should I spend time on this if I can get an isolated password manager?
avatar
shmerl: That's very wrong. You have no clue what it can be doing on the server side. And I said, you are sending your password in the clear text (no encryption). So anyone on the long way to the server can see it. I don't think you want that.
avatar
Firebrand9: No it's not. I did web development for years. It's called follow the source.
You recommend non technical users to follow the source every time such question arises? Good luck with that. They should use better practices. And it means not using sites for such purpose.
Post edited June 19, 2015 by shmerl
avatar
shmerl: There are whole databases of various passwords which suck in all kind of stuff for bruteforcing. So, use good judgement how to avoid such pitfalls.
Brute force dictionaries are VERY different from a > 85% strength password generated from this site. You're conflating issues.
avatar
Maighstir: I haven't looked at the site, but if it's all done in Javascript, nothing is sent to the server (again, looking at the Javascript will confirm whether or not this is true - that does, however, require enough knowledge of Javascript which likely only a minority of the people using the site has).
avatar
shmerl: Yes, it can be doing it all on the client side, but without good audit, I wouldn't trust any such thing. And why should I spend time on this if I can get an isolated password manager?
Agreed. Personally, I use Keepass.
avatar
Firebrand9: Brute force dictionaries are VERY different from a > 85% strength password generated from this site. You're conflating issues.
It doesn't matter. Sending your password as clear text should be a no go. Period.
Post edited June 19, 2015 by shmerl
avatar
shmerl: You recommend non technical users to follow the source every time such question arises? Good luck with that. They should use better practices. And it means not using sites for such purpose.
I recommend anyone capable to do that. Such as myself. And, you still seem to be missing some fundamental points on how any information would end up useful.

You don't want to use it? I don't give a shit. It's your account. But I've used it with extreme success for years. So, there's at least one example of a counterpoint. Stop trying to act like your rampant paranoia applies to everyone. Not everyone in completely incapable of judging the risk with accuracy.
Post edited June 19, 2015 by Firebrand9
avatar
Firebrand9: You don't want to use it? I don't give a shit. It's your account. But I've used it with extreme success for years. So, there's at least one example of a counterpoint. Stop trying to act like your rampant paranoia applies to everyone. Not everyone in completely incapable of judging the risk with accuracy.
You can audit it yourself? Good for you. Don't spread ill advice for others however, as if it's a good security practice. It is not.
Post edited June 19, 2015 by shmerl
avatar
shmerl: It doesn't matter. Sending your password as clear text should be a no go. Period.
So now you're arguing that information essential to the point "doesn't matter"? Jesus christ...
avatar
shmerl: It doesn't matter. Sending your password as clear text should be a no go. Period.
avatar
Firebrand9: So now you're arguing that information essential to the point "doesn't matter"? Jesus christ...
Dude, it seems you have no clue about security. Just stop giving bad advice to people (like sending passwords without encryption anywhere).
avatar
shmerl: Yes, it can be doing it all on the client side, but without good audit, I wouldn't trust any such thing. And why should I spend time on this if I can get an isolated password manager?
avatar
Maighstir: Agreed. Personally, I use Keepass.
I just stumbled on this article: https://www.cs.ox.ac.uk/files/6487/pwvault.pdf

Which made me think about how good Keepass / KeepassX actually is.
Post edited June 19, 2015 by shmerl
avatar
shmerl: You provide bad recommendation for non technical users. You might be able to audit such solutions, they can't. So don't spread bad advice.
Do you understand what irony means? I don't think you do.

You've completely glossed over essential points rendering a number of logical fallacies. Let's go through it slowly :
- The source is exposed and in Javascript which has no storage capability.
- The source has been evaluated by a number of people, myself included.
- The site has no information with which to associate anything typed in to anything as completely arbitrary as a random site. It's akin to finding a key on the ground and hoping you can use it to break into a specific building. In other words, astronomical odds. Buy lottery tickets. You're more likely to succeed there.
- Even in the remote event a background process is storing it for some dictionary, the above renders it useless

In short : Use your brain.

avatar
shmerl: Dude, it seems you have no clue about security. Just stop giving bad advice to people (like sending passwords without encryption anywhere).
More irony, lovely. Well, I only worked in IT for 20 years, but your limited judgment must supercede that. I've also used this site for years too with no issues, so, right, I must not understand your enlightened view.
Post edited June 19, 2015 by Firebrand9
avatar
Firebrand9: Do you understand what irony means? I don't think you do.
Just stop this nonsense. If you don't get it, then learn a bit about MITM or any other kind of impersonation, and then think twice about sending passwords in clear text anywhere. Anyone can harvest it this way by faking that site for instance using some DNS hijacking or what not. And then your elaborate audit of that JavaScript will be totally worthless. Don't tell me you do it every time you open that site. Or do you? Or may be you advice non technical users to do it every time they open that site? Riiight...

avatar
Firebrand9: Well, I only worked in IT for 20 years
Too bad for you, if you didn't learn some basic things about passwords and encryption. Your mistakes are yours, but I'll repeat - don't make others do them because of the ill advice.
Post edited June 19, 2015 by shmerl