It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionConditions for 2-step authentication kicking in?(50 posts)(50 posts)
(50 posts)
Pages:
1
2
3
4
This is my favourite topic
Posted November 19, 2017
avatar
misteryo: I am wondering if it is not mandatory, might a whole lot of users be hacked and not know it because they do not use 2FA.
Earlier GOG switched it on for everyone, so it is enabled by default. One would have to deliberately switch if off to get rid of it. I think that was a good move because apparently there were lots of rarely used GOG accounts which got hijacked, and when the original owners later tried to access them again, they couldn't (email was changed etc.). So now everyone has the extra protection by default.

Considering how much talk there was earlier about those hijacked accounts (when 2FA wasn't enabled yet), I'd be surprised if masses of people switched it off, or then taking extra measures (like using a very strong password which they only use on GOG).

Even I started using 2FA at that point. The reason I didn't use it earlier was because I let Firefox clear all cookies on exit, and sometimes (when the IP address changed) that would trigger 2FA. As a workaround, I started using Chrome instead for all such sites where I want to keep the login cookies (like GOG.com and Humble Bundle), and I use Firefox for the rest.
Post edited November 19, 2017 by timppu
Posted November 19, 2017
I can just say I also got this email. I thought i was hacked totaly so I changed passwords on all mine main accaounts. So Emails, phone etc.

Also Brazil and looks like someone did it using VPN from some kind of Brazilian Company.

Change password just in case people. And use different one to other accouts.

While gog secure your site better ffs. people have credit cards saved here
Post edited November 19, 2017 by kuky90
Posted November 19, 2017
Not having the website save your credit card information would probably be a plus as well.
Posted November 19, 2017
avatar
drmike: Not having the website save your credit card information would probably be a plus as well.
Yeah that why I never save. And those who do save automatically I go and delete. I even double check this.


And i got this email 15min ago. So they didnt fix anything yet.
Post edited November 19, 2017 by kuky90
Posted November 19, 2017
avatar
drmike: Not having the website save your credit card information would probably be a plus as well.
It doesn't. It uses some sort of token system (I don't remember the details), and it only saves that info if you tell it to (AFAIK, a customer can still choose to manually enter the card info every time).
In other words, even if you had your card info "saved" here, the worst that would happen is somebody could buy some GOG games as gift codes to flog on other sites -- and there are limits to the quantity of gift codes one can buy here at one time, as well.
Posted November 20, 2017
Hey guys
To give you a quick update, we've not detected anything that would seem like a breach of data on our end – but we are aware of the reports and we are monitoring the situation.

As for what you can do, like timppu mentioned drop by https://haveibeenpwned.com to see if your credentials have ever been compromised (keep in mind that list is not all-encompasing, but it's a great pointer).

If you are compromised make sure to change your password. Definitely have a unique password for your email account, and keep 2-step on. As long as you're the only one with access to your email account, 2-step is just about impenetrable.
Posted November 20, 2017
avatar
kuky90: While gog secure your site better ffs. people have credit cards saved here
What is GOG supposed to do, if your password was leaked from some other site where you have used the same password in the past? GOG already prevented the hijackers from taking over your account, with 2FA. Also I presume GOG is using CAPTCHA to prevent brute-force guessing of passwords online.

Not to say there probably aren't existing security vulnerabilities in GOG right now (like there are on lots of other sites too), but not necessarily something related to these verification emails.

And yeah I don't save my credit card info on GOG, or any other sites either for that matter. I have already learned my cc number etc. by heart.


EDIT: Did you say the Brazilian is still able to log in with your password, even though you recently changed it? If that is the case, go check in your GOG settings under "Login and security", if "Authorized sessions" => "Logout all" would help?
Post edited November 20, 2017 by timppu
Posted November 20, 2017
avatar
timppu: EDIT: Did you say the Brazilian is still able to log in with your password, even though you recently changed it? If that is the case, go check in your GOG settings under "Login and security", if "Authorized sessions" => "Logout all" would help?
A list of last log ins on the account page would be helpful as well.

avatar
timppu: Someone mentioned in the reddit discussion that CDPR forums would have had a data breach at some point, but I don't recall seeing news about that? Is it merely a rumour? EDIT: Or then it happened so long ago that it isn't relevant anymore...
https://forums.cdprojektred.com/forum/en/the-witcher-series/news-aa/7248610-important-unauthorized-access-to-the-forums%E2%80%99-data

avatar
Konrad: *snip*
Someone may want to take a second and review which version of vBulletin they're running the Watcher forums on. Looks like they're running 5.2.5 while vBulletin is up at 5.3.1 now. It's annoying that vBulletin doesn't provide a public accessible version history.
Post edited November 20, 2017 by drmike
Posted November 20, 2017
avatar
Konrad: Hey guys
To give you a quick update, we've not detected anything that would seem like a breach of data on our end – but we are aware of the reports and we are monitoring the situation.

As for what you can do, like timppu mentioned drop by https://haveibeenpwned.com to see if your credentials have ever been compromised (keep in mind that list is not all-encompasing, but it's a great pointer).

If you are compromised make sure to change your password. Definitely have a unique password for your email account, and keep 2-step on. As long as you're the only one with access to your email account, 2-step is just about impenetrable.
I got an email from armor games the other day saying they had a breach a few years ago and the info now appeared to be publicly available, considering the possible overlap I'd say it would be a likely source of any details...

Not sure if there's anything you can do on your side with that info mind...
Posted November 20, 2017
avatar
drmike: Not having the website save your credit card information would probably be a plus as well.
avatar
HunchBluntley: It doesn't. It uses some sort of token system (I don't remember the details), and it only saves that info if you tell it to (AFAIK, a customer can still choose to manually enter the card info every time).
In other words, even if you had your card info "saved" here, the worst that would happen is somebody could buy some GOG games as gift codes to flog on other sites -- and there are limits to the quantity of gift codes one can buy here at one time, as well.
Sorry, I meant in general with any website. Replace the 'the' with 'any'.
Posted November 20, 2017
avatar
drmike: https://forums.cdprojektred.com/forum/en/the-witcher-series/news-aa/7248610-important-unauthorized-access-to-the-forums%E2%80%99-data
Thanks. So apparently that happened before the GOG & CDPR forum merge (meaning pure GOG users were unaffected), and all the affected people were notified by email?

avatar
drmike: A list of last log ins on the account page would be helpful as well.
True, that would be nice. Maybe even log-in attempts (with wrong passwords).
Post edited November 20, 2017 by timppu
Posted November 20, 2017
avatar
drmike: A list of last log ins on the account page would be helpful as well.
avatar
timppu: True, that would be nice. Maybe even log-in attempts (with wrong passwords).
Very much yes, login attempts with at least IP addresses and guessed locations would be very, very useful. Wrong passwords tried would be a neat bonus, allowing us to potentially guess where security breaches are coming from.
Posted November 22, 2017
Had one e-mail 5 hours ago. Someone tried to login to my account too. From Egypt. I guess someone found out my password as two step verification code was sent. Contacted GOG support regarding this leak.
Posted November 22, 2017
Got two mails from the Philippines
Posted November 22, 2017
well a strange thing to report here

i saw this thread and the reddit thread linked somewhere about the recent foreign ip attempts of login in

i wanted you folks to know of something that is, in a way, reassuring:
i usually never used 2FA system on GOG so far; when they introduced it, i think it was opt-out at the very start. i disabled it from start; reactivated it manually once when i was visiting a friend who leaves near another country's boundary and who has internet access to another country's ISP, when i wanted to show him stuff on my gog account from my laptop i brought with me

then once back home, i disabled it again.

And i see today it's enabled again (so it was an action not from me...) Could GOG possibly decided to turn it on by default once they suspected some breach of any kind ? it is a good reaction, i would think... but i can be wrong (wrong that it was reactivated by GOG, and.or wrong it can be seen as a good thing)

TL;DR usually never use 2FA on GOG... Manualy disabled it twice, whenever it was activated by default. Last time i checked it was off, but whenever i checked today: it is enabled again.
Pages:
1
2
3
4
This is my favourite topic
Community
General discussionConditions for 2-step authentication kicking in?(50 posts)(50 posts)
(50 posts)