It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Yesterday morning I have received one of those emails you never want to receive:

no-reply@gog.com

"Hi XXX, your e-mail address was changed

This is a confirmation, that the email address associated with your GOG.com account XXX (rostilovka88@gmail.com) was successfully changed. Below you will find the details of this operation:
New email address: rostilovka88@gmail.com
Previous email address: xxxx@xxx.xxx
IP Address: 95.81.223.143
OS: Windows 8.1
Browser: Yandex Browser 15.4.2272
Estimated location: Novocheboksarsk, Russia"

Watch out guys there is a security breach somewhere.
Looking for my account back and for a two steps authentification method.
Post edited June 19, 2015 by Ciris
No posts in this topic were marked as the solution yet. If you can help, add your reply
high rated
avatar
cavaler-2: Yesterday morning I have received one of those emails you never want to receive:

no-reply@gog.com

"Hi XXX, your e-mail address was changed

This is a confirmation, that the email address associated with your GOG.com account XXX (rostilovka88@gmail.com) was successfully changed. Below you will find the details of this operation:
New email address: rostilovka88@gmail.com
Previous email address: xxxx@xxx.xxx
IP Address: 95.81.223.143
OS: Windows 8.1
Browser: Yandex Browser 15.4.2272
Estimated location: Novocheboksarsk, Russia"

Watch out guys there is a security breach somewhere.
Looking for my account back and for a two steps authentification method.
Hi!

First off, I'd like to apologise to all who have experienced account hacking on our site over the past couple of days. We're hard at work to make this less of an issue and less likely to happen - but I understand how frustrating it must be to lose access to your games.

Having said that, there's a new measure that will help us pick up on hacked accounts more easily.

If your account e-mail changes, you will get an automated message.

It that looks like this and has the new e-mail address, the old one, the IP currently in use (together with estimated location), and the OS and browser of the current user.

If you get such a message and it wasn't you who changed the email address, contact us.

Use the link at the end of the message ("contact our support team") to let us know it happened. You'll be redirected to our contact form - here's an example of how to fill that in.

We do our best to get back to hacked account emails as soon as possible, and to change the e-mail addresses as quickly as we can and restore the fully functional accounts to their rightful users.

IMPORTANT:

1) When contacting us regarding a hacked account, you must replace the e-mail address with one you have access to - otherwise, our reply will end up at the hacker's e-mail address, which you have no control over or access to.

2) Please do not send multiple requests to support - if you do, your request is pushed to the back of the queue again. If you feel the need to add more details to your support request without getting bumped back, you can do so by replying to the automated support reply you will get with your Ticket ID.

3) As soon as you get access to your account back, please change your password. It may be a simple thing, but please don't forget. It will mean the hacker once more lost access to your account for sure.

[edit]: bumped this to be the 2nd reply in the topic so it's easier to find for others with a similar problem, re-bumped the original post to the top to remain above the reply.
Post edited June 19, 2015 by Ciris
avatar
cogadh: source of these hijacks.
There is growing number of sites, amount of users with the same login/password increases, you can purchase userbases from hacked sites and try to bruteforce it on another site.
avatar
Ciris: We do our best to get back to hacked account emails as soon as possible, and to change the e-mail addresses as quickly as we can and restore the fully functional accounts to their rightful users.
Please explain the nature of this accounts theft, so others could prevent it. Was it because of weak passwords or some malware on people's computers?
Post edited June 19, 2015 by shmerl
avatar
cogadh: source of these hijacks.
avatar
Gremlion: There is growing number of sites, amount of users with the same login/password increases, you can purchase userbases from hacked sites and try to bruteforce it on another site.
That is my suspicion, i.e. a compromise of some other site (or sites) led to passwords here being compromised due to lax password habits on the part of users, but it would be nice to get some confirmation. Hopefully this will be a "lesson learned" moment for some people, if they have been using the same password on multiple sites.
@Ciris

Please take a look at my thread too. It's on the second page. Can't post link.
avatar
Ciris: We do our best to get back to hacked account emails as soon as possible, and to change the e-mail addresses as quickly as we can and restore the fully functional accounts to their rightful users.
avatar
shmerl: Please explain the nature of this accounts theft, so others could prevent it. Was it because of weak passwords or some malware on people's computers?
No one actually knows how, but the method seems to be a hijacker gained the correct e-mail and password credentials, likely through a site offering lists of compromised passwords for multiple websites, then using GOG's own systems, changed the e-mail address on an account, which has virtually no security systems in place to block it, then changed the account password, which does require access to the account e-mail address. Since GOG did not have security in place to block unauthorized e-mail changes, the e-mail requirement for changing the password was useless. GOG has stated that there has been no compromise of their systems to date and all of the hijacked accounts that have been reported on the forums say that the original account e-mail is secure, so the likely problem is some people used the same password across multiple websites and one or more of those other sites was compromised.
avatar
Ciris: snip
I think at this point this really isn't good enough and GOG needs 2 step authorization like every other major website has today. I really hope GOG is putting a better system in place.
Post edited June 19, 2015 by BKGaming
avatar
Ciris: 3) As soon as you get access to your account back, please change your password. It may be a simple thing, but please don't forget. It will mean the hacker once more lost access to your account for sure.
This is wrong. You are essentially playing chicken with the hijacker by not setting the password to a new unique one when you restore an account, thus blocking the hijacker out from the beginning. This is internet security 101. You guys need to be better than this.
avatar
Ciris: 3) As soon as you get access to your account back, please change your password. It may be a simple thing, but please don't forget. It will mean the hacker once more lost access to your account for sure.
avatar
cogadh: This is wrong. You are essentially playing chicken with the hijacker by not setting the password to a new unique one when you restore an account, thus blocking the hijacker out from the beginning. This is internet security 101. You guys need to be better than this.
Exactly, and it might be like this already but on top of that make sure a changed password makes a forced lockout so the person who is accessing the account can't continue to use it if it's left logged in.
avatar
Ciris: 3) As soon as you get access to your account back, please change your password. It may be a simple thing, but please don't forget. It will mean the hacker once more lost access to your account for sure.
avatar
cogadh: This is wrong. You are essentially playing chicken with the hijacker by not setting the password to a new unique one when you restore an account, thus blocking the hijacker out from the beginning. This is internet security 101. You guys need to be better than this.
I think Ciris meant to change the password to something new (and obviously unique). I'd recommend generating the password using well distributed combination of characters and make it very long. Use some password manager for it.

And, obviously don't just avoid stupid passwords - avoid using the same password anywhere. Always make them unique.

https://www.youtube.com/watch?v=JSZTPuJ14Ro
Post edited June 19, 2015 by shmerl
Guys, do yourself a favor and use this link I already posted. Get a score over 85 if you want something not prone to a brute force attack. The rest is keeping your system free of spy and malware :

http://www.gog.com/forum/general/hacked_accounts_prevention/post11
avatar
Firebrand9: Guys, do yourself a favor and use this link I already posted. Get a score over 85 if you want something not prone to a brute force attack. The rest is keeping your system free of spy and malware :

http://www.gog.com/forum/general/hacked_accounts_prevention/post11
Hah, testing your password on some third party site is a bad idea. How do you know it won't store it? And let alone, when you send it over clear text (no https). No, don't ever do it. There are many ways to generate strong passwords without using any sites. And of course, if some site has no https - your password that you use on it is compromised by default already.
Post edited June 19, 2015 by shmerl
avatar
cogadh: This is wrong. You are essentially playing chicken with the hijacker by not setting the password to a new unique one when you restore an account, thus blocking the hijacker out from the beginning. This is internet security 101. You guys need to be better than this.
avatar
shmerl: I think Ciris meant to change the password to something new (and obviously unique). I'd recommend generating the password using well distributed combination of characters and make it very long. Use some password manager for it.

And, obviously don't just avoid stupid passwords - avoid using the same password anywhere. Always make them unique.

https://www.youtube.com/watch?v=JSZTPuJ14Ro
Yes but if GOG doesn't make it a temporary password then your playing "lets see who can do this first" with the person that has your account as they can just log back into before you can change your password since they know your original email and password anyway.
avatar
BKGaming: Yes but if GOG doesn't make it a temporary password then your playing "lets see who can do this first" with the person that has your account as they can just log back into before you can change your password since they know your original email and password anyway.
I think in such cases when account theft was confirmed, GOG should forbid changing e-mail until they can authenticate original owner and the owner would confirm that they regained control and changed the password.

I.e. it can work like this. GOG locks the account. Original owner gets an e-mail with some instructions how to unlock it (in the process changing the password). That's about it. It all assumes of course that owner's e-mail account wasn't hacked. If it was - too bad.
Post edited June 19, 2015 by shmerl
avatar
shmerl: Hah, testing your password on some third party site is a bad idea. How do you know it won't store it? And let alone, when you send it over clear text (no https). No, don't ever do it. There are many ways to generate strong passwords without using any sites. And of course, if some site has no https - your password that you use on it is compromised by default already.
Because the javascript is exposed and you can view exactly what it's doing. Not to mention, how will they know which site the password may be associated with. You know, basic critical thinking.
Post edited June 19, 2015 by Firebrand9