haydenaurion: This guy didn't use Galaxy so now i'm starting to wonder:
http://www.gog.com/forum/general/account_hacked_i_suppose/post44 Grargar: Hmmm... the plot thickens.
The obvious answer would be that the people with hijacked accounts used the same email and password on some other service, whose username/password lists were breached. Didn't someone mention using the same password for e.g. Wartune, and that its accounts were hacked?
So it may well be it is merely coincidence that these hacked accounts happened after Galaxy launch. Maybe due to TW3 launch GOG.com simply got so many new users (or old users which were inactive before) with widely used passwords, and also more attention from hackers trying to use the same email/password.
If two-step authentication comes, I hope it will be optional (enabled by default is fine by me, as long as I can disable it), OR limited only to cases where someone tries to e.g. change the password and/or email. Otherwise I will have to re-enter the verification code probably every time if I visit GOG.com with a web browser, as I've configured Firefox to delete cookies and other temporary data on exit.
Then again, if the reason for changing your email is because your old email has become non-functional for some reason, how can you change the email address to a working one then? The verification code would be sent to the non-working email, right?