Posted September 01, 2022
My wife logged in to my account on her tablet, which has NEVER ACCESSED THIS SITE BEFORE. And 2FA was not required. What kind of bubblegum and duct tape security are you running here, GOG?
Syphon72
GOG personal fanatic cult leader
Registered: Sep 2011
From United States
My wife logged in to my account on her tablet, which has NEVER ACCESSED THIS SITE BEFORE. And 2FA was not required. What kind of bubblegum and duct tape security are you running here, GOG?
tag+
.
Registered: Dec 2017
From Other
Posted September 01, 2022
May I ask fronzelneekburm? If yes,
-What was the GOGs answer given?
-Did it include a root cause and fix, ...or at least a promise?
-Did you try to contact Xiaozhuzi? Something you could feel comfortable to publicly share from that? Like joined forces, expressed frustration, complain, demand a serious GOG investigation...
-Do you remember how many games Xiaozhuzi had the day of the incident? Right now the profile is public and says 281. Not a insignificant number in my book... and the number may be an easy-dumb indicator of Xiaozhuzi purchasing activity since then...
Anyway, Thanks for the reminder!!
Time to me to evaluate:
-Lenght of sessions
-Avatar removal
-Username change
-Split my purchases (stop buying from this account, but from a new one instead)
-Old posts deletion
-Keep participating on the forum
Yeah, I am not a whale owning the latest & greatest full GOG vgames collection ever seen,
but a ridiculous number instead...
But hey! When you are aware of such precarious service, you definitely need to adjust to it
Glad we are talking about a voluntary relationship (me deciding to purchase on GOG)
Damn Hell when is a mandatory/forced relation you don't have the slightlest opinion lesser the chance to adjust or bail out...
Definitely alerts rang here and trust me, won't be forgotten
fronzelneekburm
Gazes into the abyss . . . and laughs!
Registered: Apr 2012
From China, People's Republic of
Posted September 01, 2022
You may, but in all honesty, you'll find the answer to most of these questions in the corresponding thread. As you can see, this was some time ago and my memory is hazy on the details, so I honestly recommend reading the thread instead. I'll link you to the relevant bits.
This was their initial reply, which was shocking, to say the least.
They eventually DID get in touch with me and implemented some sort of band aid solution (at least I didn't get accidentally logged into someone else's account since then), but they never got into the nitty gritty of what actually CAUSED this little mishap.
Here's a quote from the relevant mail I got from gog support on July 4th (roughly a month after I had first reported the issue):
"Just wanted to let you know that a fix has been implemented. We’re still monitoring the situation but we
haven’t received any new reports of the issue"
Please also note this post from roughly a month later. So, they implemented some crappy band aid solution, which did, however, work well enough that it never happened to me again. But the thing paladin181 describes (logged into an account from a tablet despite never having logged into that account from this tablet - DESPITE 2FA) sounds EXACTLY like what happened to me a couple of years ago.
I'm afraid I didn't, I probably should have. Firstly, I had no idea what to write to the guy without coming across as a scammer or a blackmailer ("Yo, dude, I got like, logged into your account or something!"). Just a very awkward situation and I was banking on gog contacting the guy. In fact, at the time I probably felt that it was gog's obligation to do so, I felt had already done my part by informing the community at large via the forum thread.
Can't really remember, but it was probably enough for gog to realize that the account wasn't some alt I made for cheap laughs.
This was their initial reply, which was shocking, to say the least.
They eventually DID get in touch with me and implemented some sort of band aid solution (at least I didn't get accidentally logged into someone else's account since then), but they never got into the nitty gritty of what actually CAUSED this little mishap.
Here's a quote from the relevant mail I got from gog support on July 4th (roughly a month after I had first reported the issue):
"Just wanted to let you know that a fix has been implemented. We’re still monitoring the situation but we
haven’t received any new reports of the issue"
Please also note this post from roughly a month later. So, they implemented some crappy band aid solution, which did, however, work well enough that it never happened to me again. But the thing paladin181 describes (logged into an account from a tablet despite never having logged into that account from this tablet - DESPITE 2FA) sounds EXACTLY like what happened to me a couple of years ago.
I'm afraid I didn't, I probably should have. Firstly, I had no idea what to write to the guy without coming across as a scammer or a blackmailer ("Yo, dude, I got like, logged into your account or something!"). Just a very awkward situation and I was banking on gog contacting the guy. In fact, at the time I probably felt that it was gog's obligation to do so, I felt had already done my part by informing the community at large via the forum thread.
Can't really remember, but it was probably enough for gog to realize that the account wasn't some alt I made for cheap laughs.
tag+
.
Registered: Dec 2017
From Other
Posted September 02, 2022
They eventually DID get in touch with me and implemented some sort of band aid solution (at least I didn't get accidentally logged into someone else's account since then), but they never got into the nitty gritty of what actually CAUSED this little mishap.
"Just wanted to let you know that a fix has been implemented. We’re still monitoring the situation but we
haven’t received any new reports of the issue"
Please also note this post from roughly a month later. So, they implemented some crappy band aid solution, which did, however, work well enough that it never happened to me again. But the thing paladin181 describes (logged into an account from a tablet despite never having logged into that account from this tablet - DESPITE 2FA) sounds EXACTLY like what happened to me a couple of years ago.
Let me tell you one personal reason to take you serious and be curious:
Once upon a time my veteran email account on a big boy free provider started receiving emails from a stranger: an individual without a Kreitsi annd hebideent spam source, my email address totally correct, containing coherent information (work stuff) and directed to this XY person
-Meh, wrong address folk!: A rule to the junk folder and never read those emails! (by security & legal reasons)
Was my initial reaction
The problem was when big boy companies (phone, vendors) also began sending emails to XY to my inbox...
-Whatta!... The spam folder was not a solution anymore, Agree?
My email provider wasn't guilty nor responsible either...
And this XY seemed unaware of the problem either (missing all those emails)
So an executive decision, yet effective was needed... from me
I had to lift my selfban and skim some emails from the phone company to find out the number of XY
After a couple of -international long distance- call attempts, someone finally answered...
and out of luck wasn't XY...
Language/cultural barriers -maybe- whoever I explained the urgency/situation did not get it so I desisted
Next: I replied to those clueless senders asking them to stop emailing XY to my email because was futile.
Yeah, some bullheaded needed calls to some managers to tell a human to stop emailing me under their own entire responsibility of disclosing/risking private XY info by their lack of action
Fortunately, after all my time & energy wasted on it, the volume reduced and I moved to another provider!
What I'll never know if the damn XY ever realized the situation and why the fck my email got involved.
While you had the opportunity with the affected person :)
Maybe we could start a club (org?!)...
Cases like that, first hand experienced, force us big time to approach things differently
Because the spectators, comfortably sit, lightly discard/tag the whole situation to sleep carefree
By the way, I understood OP complains because his wife did not get the 2FA, not that she was loged in automatically without a password. But paladin181 can clarify it
Many thanks for sharing with all it involves fronzelneekburm!
Now, lets tell some jokes about 2FA to sleep carefree as well... :)
paladin181
Ghost of GOG, writing wrongs at every turn
Registered: Nov 2012
From United States
Posted September 02, 2022
Many thanks for sharing with all it involves fronzelneekburm!
Now, lets tell some jokes about 2FA to sleep carefree as well... :)
Timboli
Sharpest Tool On Shelf
Registered: May 2017
From Australia
Posted September 02, 2022
OP - Is your VPN ever on when you visit GOG?
If so, then GOG's detection might be slightly confused, especially if they are using some kind of algorithm to check things, and getting multiple locations for your login.
That said, weird shit happens at GOG from time to time. For instance, when on GOG's main page, I have sometimes been taken to a game page, when I know I never left clicked my mouse button. Which is a huge frustration in itself, as I then have to reload the whole bloatware main page again.
And then during big sales, I find pages and all the bloatware scripting in them sometimes don't get processed properly.
If so, then GOG's detection might be slightly confused, especially if they are using some kind of algorithm to check things, and getting multiple locations for your login.
That said, weird shit happens at GOG from time to time. For instance, when on GOG's main page, I have sometimes been taken to a game page, when I know I never left clicked my mouse button. Which is a huge frustration in itself, as I then have to reload the whole bloatware main page again.
And then during big sales, I find pages and all the bloatware scripting in them sometimes don't get processed properly.
Post edited September 02, 2022 by Timboli