Can someone help me out? I entered a ticket yesterday and haven't heard back yet on this. Under normal circumstances I'd be perfectly fine with waiting a couple days.

Ticket number: 61NL3ZLQ

Summary:

I noticed on GOG Galaxy that my email was not what it should be. It's a .ru email now. I can no longer login to anything GOG related with my main account. Anytime I try to login it says "user not found" for my main email. What's concerning is my main email has to still be in the database because I'm now receiving GOG emails in russian to my main email.

And this is why we need two factor authentication for something like an email change.

As for the OP, I'm sure GoG will fix it for you. Support is just really busy right now.

So long as it's optional. I don't have an email and I don't want to get shut out because of that.

How did you get an account without email? O_o

Anyways, if you don't have an email associated with your account you should be exempted from two factor authentication of course.

I am sure they work hard, but I am not 100% sure GOG could pull off two factor authentication without crashing the system.
It does rather need integration to the account database and other site wide aspects. Although as it goes now... Maybe they are trying that.

Oh, I get by! :P

No, my B&B pc has an email account which I intern gave to GOG, but that's a totally different computer that is usually being used for reservations and stuff so I can't rely on being able to get to it when I need it. Life and death I could use it but if I wake up at two in the morning and want to do something in here I don't want to have to go all the way over there to log in. :P

Well, something should be improved at least. I'm willing to shoulder some of the blame because this is a brand new system I built specifically for The Witcher 3 and I hadn't installed any malware protection yet. Shame on me.

However, up until I had been using GOG Galaxy, I never had this happen with my GOG Account. The two are probably unrelated but I'm just pointing out how this looks.

No doubt something should be done, GOG wants to play with the big boys it needs to act like them too.
If we look at Steam (oh the horror), they require you prove a new computer is in fact under your usage by sending an email with a random code.
I think that would be a good idea, especially for changes of passwords. You type in the new password, receive an email with a code, enter code and you have a new password. Simple and would require a bit more work from any hackers.

As to the anti-malware, whilst I would suggest that always be the first thing you install when you go online. Even they can only stop so much, we are never safe. :(

Ah, I see. For just logging in and downloading games and such, I wouldn't want two factor authentification for that. It should only be done for a major account change - which as far as GoG is concerned the only major change possible is an email change.

No offense, but damn is that one hell of a first world problem.

Why hack a GOG account and deny the original owner access?

Seems to me the hacker would profit most by acting as a parasite.

As is, the hacker's killed the goose that lays the golden eggs.

edit:
I'm not recommending this behavior, of course. Just curious about the motivation here.

Well, Galaxy never asked me to login again when the email account change was made. It still auto logs me in under my main account on startup. So actually the hacker was successful in your suggestion. So right now I don't know how it behaves on his end. I'm assuming he has access to my games library.

Incidently this means that Galaxy doesn't do any authentication if you've logged in successfully and set it to automatically login on startup. I would suggest turning that feature off.

Hope you don't make any purchases before getting this resolved.

That sounds like a major problem... Maybe for immediate action you can get Judas to lock your account, then after it's locked it can get looked at by the admins when they get to it... Alternatively if it's in the obvious history the email changed, reset the password and revert to the previous email.

Hmmm... Might be time to change from my insecure password to my more secure password...