But why are we seeing so little hijacked accounts then?

So far there is only a small number of hijackings compared to the number of Galaxy users, all hijacked accounts seem to have in common that they are new or not active in the community, and that they own TW3. That all points to an external factor like a security breach at another site, a gaming community or key reseller. Someone got their hands on user credentials (mail and password) and they tried them on other similar sites like Steam, GOG, etc. For a small percentage they got lucky and could use the same combination on GOG at least.

That theory is the best fit for what little we know about this issue.

The fact that it seems to be only new or inactive accounts makes it more likely that they bought their keys at another store or are more active in another community. It also makes it more likely that some of them got lazy and reused email and password to redeem TW3 because "eh, I'll just redeem TW3 real quick". But it also explains the small total of hijacked accounts because it's a comparably small number of off-site buyers/community members, of which only an even smaller number would have fallen in the lazyness trap and used the same login for "Site X" and GOG. It also explains why there has been no bruteforcing of accounts according to the blues: someone got email and password at the same time.

But it really can't be from GOG or Galaxy because the numbers don't add up. Literally. Galaxy + TW3 alone has about 700,000 users, Galaxy itself easily 1,000,000+ users and GOG is just off the charts compared to those two. Any security breach on that side and fat would really have it the shin by now. Like thousands of compromised accounts across all user types...newbies, community regulars, blues...

But we haven't seen any of that, so at this point a security breach somewhere else is by far the most likely explanation

Agree. I think now that it's all about key reseller store/site security breach. Or even fake site offering buying Witcher 3 for client's real money and they breaking it.

Not "lots", the regular amount. It's GOG account theft that increased, since, pre-Witcher-III, valuable GOG accounts have been few and far between. And mailboxes are potentially hard to hijack, they can have two-factor authentication on password changes enabled and stuff like that.
Here's a rough translation of a typical ad:

TLS is much more secure than the older SSL versions.

It is just possible when there is a MITM attack.

There are some issues but this is not so easy to exploit if you have not access to the network (MITM, malware on the computer, ...).

https://www.ssllabs.com/ssltest/analyze.html?d=secure.gog.com
https://www.ssllabs.com/ssltest/analyze.html?d=gog.com&latest

Sure, they should pick more secure certificates but decrypting RC4 and SHA1 (which is just theoretically broken) takes much data to process the encrypted data.

I don't think it is related to GOG Galaxy. In order to hijack account information via Galaxy, the hacker needs to be on the same network with the user to do a man-in-the-middle attack.

Recently lots of sites' databases has been compromised because of various database leaks. My guess is the hackers got a list of those accounts and used them to hijack accounts. They might have also used bruteforce method for some of them.

The hacker who stole my account seems to be using a VPN, he seems to be logged into my account from Cairo, Egypt. But the other information I can see suggests that he is originated from Russia, because the currency has been changed to RUB. Probably deactivated VPN at some point. Also I am sure that the hacker is a script-kiddie because he uses Google Chrome on Windows 8 and a gmail account. His google account user id is "bedo.crk". Probably a fake one, but might be useful when comparing it with others.

I am 80% sure someone leaked an exploit on a russian warez forum or somewhere similar. Google Chrome, Windows 8 and Gmail accounts suggest that this is a work bunch of amateurs.

Anyway, the priority should be recovering the hijacked accounts at this point. Why and how should come later. Normally I do try buy games from GOG.com in order to support DRM-free movement. But the recent developments show that we definetely need a 2-step verification system. Also being able to change the e-mail address without confirming it from the current one is really a big security flaw.

Update: Just got a reply from GOG support. I have now recovered my account. :)

It could take some time until the account was sold in the underground. Also not evry scanner finds every malware.

You can try HerdProtect and other multiscanners.
Did you run some special tools like OTL, FRST, ComboFix and so on?
I totally agree.

All is good again, it showed 7 viruses, dealt with the bastards :)
Any suggestions for an antivirus program? Kaspersky maybe?

I can't give you a recommendation for a specific program, but keep in mind that no anti virus program is able to find every single virus out there. This is especially true, if you are trying to find viruses while running an infected system. Many viruses try to hide themselves from anti virus software, so the only proper way to check for viruses is scanning the system from a bootable, self-contained virus CD/usb stick. Many anti virus software manufacturers offer such CD images for download, which you can then burn onto a CD or write to a USB memory stick.
Of course to be really on the safe side (if there is such a thing), you should probably reinstall the whole system after an infection.

Comodo Internet Security (autosandboxing, HIPS/HIDS, deny all firewall, ...).

But keep in mind most heuristics of antivirus solutions won't find everything.

HerdProtect for example combines all scanners in the cloud.

What exactly were these 7 things it found?
Right, it is recommended to scan from a livedisk or another system.

Here are some tools for creating livedisks with USB sticks:

http://www.sarducd.it/
http://www.pendrivelinux.com/yumi-multiboot-usb-creator/
http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/

Some Double Click, some Cookies in temp folder, and something else i forgot x)
Will try your advice for sure.

These are not viruses or malware, just harmless tracking cookies.

I don't know if I would call tracking cookies "harmless". I think "filth" or "junk" would be more suitable.