EDIT: Nevermind, now I think I got the gist of the question. That's a good question, ie. does the person abroad know your password already because a 2FA verification code email was sent to you.

I think I could test it, by logging in from a different IP address (I can use my phone to log in) and clearing the cookies from Firefox, and then entering a wrong password.

Same here. It is an attempt of piracy. The connection comes from Brazil. Sao Paulo. He has our password. I contacted the support. Sorry for my english. I speak french.

I've tested with my VPN, it seems it's cookie/IP/Location bases in some odd combination.. i've only ever hit the 2FA a few times in the few years I've enabled it. Even with a total format no 2FA, using a VPN after successfully longing in once again no 2FA.

the most recent trigger for me was the forum hack that happened a while go. That event triggered 2FA on my scripts, browser, and Galaxy.

so from my experience (dont take this as fact) if your ip and cookie are good, or cookie and location are good or location and ip are good you don't get hit. You need 2 of these 3 things.

edit:its not browser fingerprinting as i use a special program to obfuscate that, not a fan of tracking me just to serve me ads in facebook and twitter :p

Ok so I just tested it, and yes, it seems 2FA (the verification code email) is triggered only if you give the right password, but are connecting from a different IP address (than in your previous successful login) and have no valid login cookie (e.g. using a new PC or browser, or having deleted your cookies from your browser).

Meaning, yes that hijacker abroad has somehow got hold of your password for that account (email address). Have you used the same username (or email address) and password combination on some other web sites or services too? That's the most probable way they have got hold of it, e.g. you have used the same email/password on some dodgy site, or a site whose user database was breached. I guess there are other possibilities as well (malware like a keylogger on your PC).

It seems you were saved by 2FA (the hijacker couldn't log in even though they knew your password), but I guess you should change the password now, to something that you haven't used elsewhere. And run a virus scan.

What I personally would want to know, what are the conditions for CAPTCHA (those picture boxes you have to tick) to appear? Sometimes I've felt that e.g. giving a wrong password too many times triggers it, but e.g. right now I gave the wrong password twice (to test that no 2FA code email is sent to me), and no CAPTCHA.

How do you define "location"? I think only the IP address and a valid login cookie matter. If I switch from my cable modem to my mobile internet (using the same PC here at home, but clearing the cookies in Firefox), then 2FA is triggered because the IP address has changed, and I have no cookie.

I noticed this also sometimes when merely using the cable modem, because time to time it seems to get a new IP address if I have to restart the cable modem.

So it seems (just in my experience) that 2FA is triggered only if both of these conditions are met:

1. Your IP address has changed from what it was in your earlier successful login (apparently GOG doesn't remember more than one IP address from which you have logged in previously?).

2. You have no valid login cookie.

Just saw this on reddit:

https://www.reddit.com/r/gog/comments/7dw7iq/someone_tried_to_access_my_account/

For my part, it is a problem on the site. Someone has probably hacked the database and has access to our information. I do not use this password on another site. I have a friend who had the same thing a few hours ago.

I can confirm that only logging in from a different IP will trigger it - it's been like this for a while now. Previously a cookie-based system was put in place, and to be honest it was a lot better that way if you ask me, but for some reason they decided to have it IP-based in the end.

Happened to me tonight too. From "Brazil, João Pessoa" the 2FA mail tells me.

In my case it disregards any cookies I might have (and I've added a cookie clearance exclusion policy for *.gog.com a long time ago) - if my IP changes for some reason, I get the 2FA prompt on login regardless.

It's good here. At least the hacker failed to pass the 2-step verification. Fortunately, the change of IP address is detected.

Then shouldn't this be much more widespread? If they got hold of all GOG user's usernames and passwords (database) unencrypted, then I think GOG would be swarmed by similar reports.

At least I haven't ever seen such verification emails that I haven't triggered myself.

Earlier when GOG.com didn't have 2FA or it was disabled by default, some people reported that their account was hijacked (meaning someone knew their password, and 2FA was not there to stop them to login from another PC). Quite often it appeared it was people who visit GOG rarely (they said so themselves), which I think increases the likelihood they have used some throwaway password they've used on many other sites too.

Other possibilities: malware like a keylogger on their PC, or a simple password that was brute-forced (but I presume GOG's CAPTCHA is supposed to kick in in case someone tries to repeatedly guess your password).

There are others who also report the problem. It is not a coincidence. And I made checks on my pc, there is nothing, no virus, no keylogger.

Or it could be a Galaxy vulnerability... just saying. At least it's worth looking into it.