Someone from Yekaterinburg, Russia just attempted to log in to my account. Thankfully, I got an email with the 4 digit code asking me to log in... not from me. Changed my password just to be safe, otherwise, I might have had my account hacked.

I currently have two-step authentication also enabled, but I haven't had such log in attempts.

I would be most interested to know how these (Russian?) hackers have got a hold on some people's GOG passwords. If it was from GOG databases directly, then I'd assume it would be much much MUCH more widespread, and people like me would be affected as well.

So is this the case of using the same email address and password on some other sites which have later been breached, or having malware on your PC which sniffs for passwords for sites, or having a too simple password (123456 hey that's the digit to my luggage blaa blaa blaa SpaceBalls oooyea).

I find this two-step authentication annoying as I tend to automatically remove cookies from my browsers after I close them (which means I'd have to re-authenticate every time I start a browser and log into GOG.com), but as a workaround I've set now so on my main PC that I use Internet Explorer only to log into GOG.com (cookies are kept), while Firefox for the rest of the internets (cookies are cleared after closing Firefox). Oh well, at least I now found some use for Internet Explorer...

*Don't mind me. I posted without actually wanting to post.

Most likely they hacked another site, and just go to popular websites and just try the same username/password because people use the same passwords on multiple sites.

So long as you don't use the same password on GOG as another site, less likely to get hacked, yeah. But if you did get hacked you risk them changing your password and locking you out of your account and getting to download all your games for free.

I don't think it depends at least primarily on your IP address? I thought it was about cookies. If you let those different browsers on different PCs to keep the cookies, then I think it should let you log in without the extra authentication.

Just make sure that when you log into GOG using those public PCs, like that lab PC in your university, that you log out of GOG at the end. Frankly I would also clear cookies on such public PCs just to be sure and so that they can't see my GOG username either, but then you'd trigger the extra authentication each and every time.

That also shows how important it would be for GOG to enable also extra email authentication for changing email or password on GOG, even if you have two-step authentication enabled or disabled. If you forget to log out on some public computer, it would be very important that someone else logging into the site as you can't change your email and password.

I'm unsure if GOG has some other things too which trigger the current two-step authentication, e.g. trying to log in from another country? So even if I have the cookies and take my laptop abroad, would it still require the two-step authentication?

Yes, I do use different passwords on different sites, as I believe as well that using the same password everywhere is kind of stupid. As for the danger of them locking me out of my account, this is a possibility I'd wish to avoid, but my avoiding of that possibility isn't (imo) worth the annoyance I just mentioned every time I login from another pc -and I haven't also been hacked before (touch wood), so I probably do something right in my password selection. Well, I personally don't clean cookies very often, so I thought up until now that it has more to do with my ip addresses. I could test it later though in my windows and linux pcs, just to be certain, but I'd have to enable 2step, and I'm still not certain if I want to.
Also the problem with the uni pcs would still remain, as these use a kind of temporary profile. People login in those pcs with the same username and password they use for the university-provided email address, and, thus everyone has a different profile -cookies are also not kept between sessions, as the pcs in general don't remember what I did last time, even if I happen to use the same computer two times in a row. I logout of my gog account anyways, but these measures add additional insurance in regards to this. So as you said, the 2step thingy would indeed be triggered each time (and as I mentioned, my regular email account doesnt render correctly in their mandated IE) and I need to login through those pcs to actually download the bigger sized games as their download speed is on average higher than what I get at home (1-1.5 mbs/s vs 100-250 kbs/s).
I also haven't really tested logging in in the same pc from another country with 2step enabled -I bought my linux pc from Greece and brought it back to Cyprus and logged in on gog on both locations, but 2step was also disabled...

This is also exactly the reason why there should be a separate two-step verification for changing email address or the password. So even if you don't have the current two-step authentication enabled (or even if you have), GOG should still require an extra email verification at least for those two vital account operations.

Someone being temporarily log in as you on the public PC (until you get a change to log out on it, or use that log out button on the GOG security settings (if it worked as intended)) is not that dangerous, as long as they can't lock you out of your account by changing those parameters. Ok so they can download your games, or buy new games to your account with their own credit card (hey isn't that actually a positive thing?!?), or write some trash messages to the forum as you, but that's all.

I logged in to my browser and needed a pin, and then logged into Galaxy and it asked for a pin too, same IP.

Well, I just edited my above post (didn't want to create a new one just to add an additional answer but the editing took more time than I thought) so I already addressed the public pc issue - that the profiles are temporary and no info is kept between sessions, so if logout of the sessions I'm fine (there are people who forget to logout and I see a pc turned out with the username "Jane Doe" on the start menu, I ask the others round the room if Jane Doe is around and if the answer's no, I log them out myself).
I'm not certain however what you mean that they wouldn't be able to lock me out of my account -if they somehow guesssed the password and then change it they could - and the problem with that would mainly be that I haven't got everything downloaded and backed up (around 25% of my games are of bigger size and thus not downloaded yet) so I'd be locked out of those purchases at the very least...

Farkin Elle! I wasn't even aware Gog was doing two steps. Thanks for the heads-up. You can't be too careful, you know. ;^)

Two different IPs in russia tried to log in into my account this morning ... So i finally changed my password - i used my "common password" years ago when creating account, so its really possible its known today.

I seem not to be able to find the list of last few IPs i logged from or setting to block countries outside my area - two common features

*checks* I got a supposed Amazon verification e-mail last night it seems, passed through junk filters, but obvious phishing. Didn't even try to get a domain name that had anything to do with Amazon at a glance, it was gibberish, so just had to hover over the link.

But generally wish every site would have 2-factor, at least in GOG's implementation, of e-mail as verification, with (optional!) SMS level for those where hacking may lead to losses or identity theft or other bigger problems. And yeah, listing the IPs that attempted to log on would sure be handy too.

And a list of devices you're logged on from, also meaning it can maintain such a list and not just a single device (later edit: since there's an option to log out on all devices, seems that it does maintain a list, but doesn't show it?), so it won't ask again whenever the device is switched as long as cookies are maintained and IP is at least similar (match ISP and location maybe), therefore removing the hassle that prevents some from using two-step. Won't fix the public PC issue Treasure mentions, but you probably don't want to be able to log on without two-step from a public PC anyway, considering the risk.

Edit: Found on a quick search for recent hacks. Well, also [url=http://www.theverge.com/2016/9/14/12916250/colin-powell-hacked-email-donald-trump]this, but GOG passwords probably weren't there :))

Which doesn't log out of my GOG Galaxy sessions, when I try it.
My gogrepo.py session is closed, though, as well as my logged in browsers.