I woke up this morning to check my email, to see that on September 29th GOG sent me an email regarding a password change (I did not request a password change).

If it wasn't for my 2A authentication I would've lost my GOG account, and I'm deeply worried they have my password, or my credit card details. I've tried to look deeper into my email and cannot find any new login attempts. So someone has already hijacked my account, and tried to change my password. I changed my pass and tried logging everyone out.

Still this doesn't change the fact that someone actually got my password and got into my account, and I'm worried this may happen again.

First thing you need to do is make sure your e-mail account is secure, ie, change password, keep it unique and never re-use passwords across sites because the first thing scammers do upon obtaining an e-mail address / username and password leaked from one site is try all the known major stores (Amazon, EBay, Steam, etc) with the same details hoping to get lucky. Definitely keep 2FA enabled.

Secondly, if you don't keep receipts of your games, then it's worth going into Username -> Orders & Settings -> click the down arrow -> View Receipt on a few games (including the newest and oldest ones you bought) and save / "print" a few of them to PDF file, and back them up with your personal data. Not just for GOG but other sites with accounts. That way if you do ever get hacked and contact support, you'll have some tangible proof of purchase, previous order numbers, dates of orders, etc, (that no-one else but the buyer should know) that you can e-mail support as proof that you are the genuine account holder to often make the account recovery process a lot faster. If you use Paypal, save a few Paypal PDF receipts of the same games as the GOG order ID is also on the Paypal receipt. The more you can give them, the more overwhelmingly obvious it looks like you're the genuine account holder. Most people tend not to think about this stuff until after they've been hacked, so it's worth downloading some proof of purchases for every account anyway just as a precaution.

Useful tool (for EVERYBODY) regarding that.
https://haveibeenpwned.com/ Use haveibeenpwned to see if your email has been part of a breach or leak. follow their security suggestions too if it has.

What exactly did that email say, and from whom was it?

If it was a "Password Reset Link" message from "no-reply@email.gog.com", then it doesn't mean someone was able to log into your GOG account, but someone simply clicked on the "reset password" link in the gog.com login screen, using your GOG login email address.

It doesn't mean they were able to log into your account, they merely triggered an email reset process. If someone had been able to log into your GOG account maliciously, i presume they would have tried to change the email address first, not the password.

However, if someone has been able to change your password, do you recall logging into your GOG account from some public PC which has other users too, and you possibly didn't log out of your GOG account on that PC/browser?

Also, are you using Galaxy? I don't know if it brings some additional, potential, security issues where others could log into your account.

I just did the 'haveibeenpwned' thing and it found 4 data breaches and 1 paste.

I did change my Gmail pass recently (like 3-4 months ago) so it should be safe.

"I did change my Gmail pass recently (like 3-4 months ago) so it should be safe."

No, that's about how often its recommended that you change your password *without* a breach. If your email is listed on "haveibeenpwned" you should change it again, immediately. (and as already stated, if you don't have 2FA, consider enabling it).

It was from GOG team.

"Hi TacoBiscuit, do you want to reset your password?
Someone requested to reset your GOG.com account password. If it wasn't you, please ignore this e-mail and no changes will be made to your account. However, if you have requested to reset your password, please click the link below. You will be redirected to the GOG.com password reset form. "

You may be right, I didn't think that they could just click the "forgot password" button on the login page. If that's the case, it's not a *huge* deal.

No I don't use public PC's nor do I use Galaxy.

Also, you may want to consider a physical authentication token, such as "Yubikey" and add it to your physical keyring. In the mean time, one of those 3rd party password managers may be worth considering (some are free).

Failing that, if you've been using the same password across accounts because you don't think you can remember them all (understandable) consider using a cypher so you can likely guess the password you used for each site. It's not the best solution, but its better than using the same one everywhere.

Yep, that is "merely" the email you get when you don't know the password, and you click on the "reset password" link in the gog.com login screen.

So someone "knew" (or guessed) that there is a GOG user with your email address, and used that link to send the reset password email to you. Not sure why someone would do that, maybe mass-test lots of different email address whether there is possibly a GOG account linked to them. Then again I don't think GOG reveals even that, whether there is such an account or not...

Anyway, certainly keep your email password secure (and don't reuse your email password on other online service, e.g. your GOG or Steam account). That is the one you don't want to lose. If possible, enable 2FA on your email account too (not just your GOG account).

isn't this a great way to collect emails with a great chance that they are real? no need to sort it out or to send mailings that come back for "unknown address".
Lists that are selling at a high price.

um no... maybe you should look into who is running it / the sites blog etc before spouting shite. theyve had 4 breaches listed on haveibeenpwned - so they were in a list and thats why somebody tried it. could be they tried 100s in one sitting and will be coming back shortly to try and reset all those passwords one by one. change it anyway - to BE safe. cant be sure there hasnt been a breach in the meantime.

Oh sure ! with such words no one can argue anything...

This certainly seems the most likely cause - especially if TacoBiscuit has an "easy to guess" email address or it is used across multiple sites (in particular, sites not requiring HTTPS for their login and forums that expose your email address).

A good solution for this is to use email "aliases" since that allows you to supply a different email address to each website you deal with (if possible, include the website name within the alias, so if you start receiving spam, you can easily identify who is responsible - such as CDProjekt's breach which still accounts for 90% of the, admittedly rare, spam I receive - edit: CDProjekt also had a more recent breach too - oh dear). Some providers like Gmail may offer this as a feature, plus there are specialised email alias services - I'd recommend SpamGourmet which I've used for over a decade.

To be on the safe side, consider running a couple of offline scanners on your system, just to verify you have nothing unpleasant on board.

I just changed every password on all my important stuff just now.

worth doing just to be sure.