Hey I just used the support contact form but I figured posting here couldn't hurt. My account was hacked I just found out when I tried to login to use the new gog connect feature. I checked my email and lo and behold apparently my account email was changed to that of someone from Russia. I've provided some proof of purchase for some my games (Witcher 1,2 and 3 with included paypal receipt) and also a screenshot of the email saying my account was changed. Anything else I can do to get my account back quicker?

Receipts should be enough to get your account back and I don't think you can do much more than that to speed things up.
Use two-step login in the future.

Hey Guys,

Same story with me. My account has been compromised by someone from Ukraine this morning. It's a terrible thing an user only gets a confirmation of their accounts' password being already changed by someone and not an actual email to inform you that there is an attempt of a password change and be able to verify via your existing email (by clicking on the link for instance).

Seriously guys, this needs to be done asap, it's basic security and as far as I can see this was addressed to you since early 2015, yet not fixed. You are far away from competition on this one, sadly.

That said, I have opened a ticket but haven't got any reply, no ticket number, nothing.
How long does it usually take for accounts to be restored and reverted to their previous state.
I am seriously concerned about the state of my account, my private data and my payment informations.
This whole situation is rather concerning and puts a different shade on the usage of online services and digital accounts.

Thiev, would you be able to check this one for me. Thanks in advance.

This!

Is it really that hard to send a confirmation mail before the mail change happens? It's basic security and most of the hackings could have been avoided that way.

I have to agree with this. Every major website on the Internet, as well as the majority of minor websites do this as a matter of security for eons now. User wants to change password, send them an email to the account on file with a verification link to click on. If they actually own the account then they'll get the email and click on it. When they click on it they therefore prove they got the email and are the owner of that account, then you let them change the password.

This is really account security 101 type stuff.

I've lost count how many times we've pointed out how backwards this is, and that they should change it to work proactively, but GOG doesn't seem to listen. *sigh* Did you get an automated email when you opened your ticket? Did you check if it got caught in your spam folder? If you actually didn't get that email, it's likely that your ticket didn't even register with the GOG Supoort System, and you should try again.

I'd assume that restoring accounts to their rightful owners takes priority, but keep in mind that it's a Sunday, and GOG Support operates with a limited number of staffers on weekends. Given that they've put a system in place to begin with, it's quite mind puzzling that they haven't switched it to operate like it should, and does on numerous other sites. Changing it to ask for a confirmation before the change takes effect would also lift the extra workload that the current system introduces for GOG Support, so sticking to it really doesn't make any sense both from a security and business POV.

Thank you all for your input. I have indeed submitted a second ticket, as the first one didn't go through. Still no words from GOG team as of yet. Luckily, I have a friend who works for a GOG's twitch channel and have her contacted, so she can cascade my case to administrators, but this might not be resolved during the weekend.

I can't really believe those security issues are still a case when they simply can be solved by implementing a confirmation email easily.

GOG please fix it. This is for your user safety, satisfaction and basic service experience. It's a major flaw that puts your clients in rather uncosy and rather hazardous positions.

And, as I have seen this a lot in related topics, it's only partially on user's side to keep service secured and safe.

What really concerns me at this moment is that the guy who hack into my account is Online as I am writing those lines, so he obviously is using my account to his unknown agenda, maybe even trying to buy products on my behalf, modifying my account (he/she already changed my profile picture and made my account private) or maybe even trying to sell it to someone else. That not only put my personal data on stake but also other people, who might get into his/her fraudulent actions.

Still I am able to post here from my account as I am logged in and remembered by my browser.

Seriously, GOG, please listen to your client's vox populi and fix this asap. This is unaccepted lack of basic security precaution on your side and needs to be addressed and taken seriously into consideration.

Sadly, a lot of companies out there - even massive ones - learn these sort of lessons the hard way by eventually being the target of hackers and getting compromised. Sony is probably the biggest of the big to get just about every aspect of their computer networks hacked, both corporate and consumer facing due to poorly managed security policies and practices.

https://en.wikipedia.org/wiki/Sony_Pictures_Entertainment_hack

I think these high level hacks happen because the marketplace is naturally highly competitive resulting in companies tending to focus the majority of their internal resources (money, manpower, computing power, hamsters, pizza, etc.) towards putting out new products and services first and foremost with less attention paid on the industry best practices of back-end security infrastructure. Resources spent designing security systems that may be seen as unnecessary because "we've never had a breach before" is much like the average computer user that does not use any antivirus software because "I've never had a virus before, so I dont' need an anti-virus program". Same thing really.

We as humans protect ourselves against threats based on a combination of our perception of the existence of threats and our mental model of what the threat is and how it works, and based on whether or not a given threat has previously been a problem. It's risk assessment, conscious or unconscious. When it comes to security threats, people as a whole (as well as businesses) generally mis-perceive the actual threats out there and what the actual risk is and costs to correct a given problem, so the threats get downplayed and not taken quite as seriously. As long as such threats never actually come to fruition and pose actual breaches and damage, the perception they're low-risk remains and allocation of resources to combat such threats is unlikely to happen.

Humans are naturally more reactive than proactive when it comes to risk assessment and threat management, whether it is computer security, business security, nutrition, and just about any other area you can think of. So as a whole we tend to undermine actual real world threats until they actually have happened and we have to deal with them at which point then we are more likely to take them seriously.

I suspect that GOG reviews their security infra periodically and prioritizes improvements based on threat risk-assessment, and that to date their perception of risk of this security issue is low so they haven't allocated their limited resources to do something about it because they have higher priority real world issues that are perceived to have bigger customer impact. Quite frankly, there are probably very few customers even caring about these security issues or expressing concerns to them as the average human being quite honestly is a complete dolt when it comes to computer security and unlikely to remotely care about this kind of stuff.

They'll probably upgrade this at some point in time naturally on their own, but they're much less likely to do it right away unless there is a compelling threat to their business such as a massive account hijack-a-thon happening which causes a massive outrage and exodus of customers spontaneously leading to an urgent damage control mission to put out the fire and drench the flames.

The small number of people who might be affected by problems regarding this security weakness at the moment are just unfortunate collateral damage, which most likely GOG will gladly sort out on a customer by customer basis manually if and when it happens to people.

Every major gaming company at some point in time or another seems to have had a massive user account hijack or password database leak on a pastebin by some teenage h4x0r out there, including Valve, Sony, EA/Origin and others. I hope it never happens to GOG personally, but if it ever does then it could be a sort of making-the-big-leagues "OOPS" tattoo they can wear on their journey to sit beside the various industry giants like Sony who have been breached multiple times.

Battle scars! :)