And you'll keep being a new user until the day YOU edit your "title" in the forum settings.

I never edited mine, it was given to me for providing outstanding hairdressing services to the GoG community.

I got another 7-8 unauthorised login attempts again, all from Russia
Time to change my password, didn't after the first.

Dude's persistent as heck.
You might want to change a couple other of your passwords too. It's possible this fellow figured it out because he realized it was the same as some other password you have. I mean, he has to know your email somehow.

Email's of a different password hah
How do they get the passwords? Keyloggers?

That's what I'm saying.
Do you use your password here for ANYWHERE else, besides your email? Wherever that is may have been hacked already as well and you might want to check it.

Actually to log on, he needs to have your email first, not access to it, but the email which is registered with GOG, otherwise he can not log in as you.

Don't forget (at least for me), it is not asking for username, but for your email when login in.

That's what I meant, I just wasn't clear with my words. Not that he can actually access Not-So-Superior Sam Avatar's email, but that he knows what his email is, which is still kind of worrying.

Yep, two points of contact which can be attacked. GOG as well as his email.

LOL, how did you go for 8 years without editing your forum settings? 8 years!!!!!1!1!!one!!1 LOL

Those Insomnia sales have a tendency to make you forget things.
For example, the fact that you ran out of money approximately 20 minutes ago.

I can vouch for that. :)

I knew that.

...I was testing you.

You passed, well done!

I just sent support a suggestion to raise GOG's security in a way that hinders these hackers while trying not to be too inconvenient to actual users. Text is as follows:

Due to the recent wave of hacking attempts, I was wondering about GOG's security and the possibility of strengthening it further. I got the idea of combining the current saved CC checks and the 2FA. In other words, not allowing the quick payment mode to be used in a device it was never validated to use. At the present time once a hacker is in my account they're able to buy keys with the credit card I saved for my convenience and my suggestion would prevent that.

This feature, once rolled in, would also have the benefit of being an extra reason to adopt both the 2FA and the Quick purchase features.

I also thought about the other way these hackers are supposedly using the accounts they break into, i.e. using stolen credit cards. Maybe you could put an extra authentication there too, although it would come with a small hassle for us users.

My idea is that every card (or rather, the last 4 numbers which is all you're allowed to store) a normal user makes purchases with should be validated to their account by email. "You want to use a new card for the first time? Sure, just input those numbers we're sending to your mailbox." It would be a one time inconvenience to us, but it would make stolen cards pretty much useless on GOG.

A few legitimate users probably would complain about being annoyed by this because they change cards somewhat often. To prevent this you could make it an optional feature too... and one which can only be disabled by inputting a code sent on the user's email (otherwise a hacker would just change this setting before using the stolen cards).

Unfortunately there's no escaping the tradeoff between convenience and security, but I think my suggestions raise the security nicely without lowering the convenience that much.

Opinions and criticism are welcome.

Not much of a test. I spent the last 5 years poking around like an annoying hyperactive brat.

Only problem, if they succeed in hacking, they can do whatever they want.

GOG, could make their life and security easier (which comes with a trade off).

GOG could check against time.

To elaborate on this:

Account ABC with email XYZ registered for 1 year.

Normal user would not change email ever, or if so, they can create a delta out of it. (changed once, so delta 6 month).

If the hacking attempt is prior too this delta, ignore any e-mail change (unless done with support ticket aka like asking for a ID-card or similar) and just send an email to the user notifying him.

The same algorithm could be used for password change. If user ABC changes password every 6 month and it is being tried to change prior this delta, ignore (same would go with CC or other information). And again email to be send.

This way me thinks everything shall be fine, or? And implementing this shall be not to hard.