God help us when people who have put in money in the gog wallet get hacked.

Why would they do that? Why not create a new account? Far less hassle and you could probably create tons of accounts without anyone noticing anything, if you start hacking as well you add another trace to your criminal operation.

One's thing is for sure, they should probably ban the usage of those Russian domains that everyone seems to be hacked with, at least temporarilt to see if it makes a difference. Also, add the option to only require 2 factor authentication when someone tries to change password or e-mail and possibly, make that option a requirement for people who want to use GOG wallet.

Also, since so many people get hacked surely the security vulnerability lies on GOG's side and not users? Has anyone lost control of their account with 2 factor authentication yet?

They do not store your credit card details, rather they request a special token from the CC provider which is linked to your CC and their store, so nobody can obtain your name/address/CC# or other info about your card, but the token can be used in the future to initiate purchases by you at GOG.com only.

If someone cracks your password or you use the same password at multiple sites and they manage to get into your account and you don't have 2 factor auth set up then they might possibly be able to make a purchase using the token into your account or as a gift code on a throwaway account. The risk is pretty small of that happening if someone uses 2FA and chooses genuinely secure passwords and doesn't reuse them between sites however. So the risks are low and nobody is forced to use the feature. Either way though it doesn't store your credit card number or personal info.

They keep on denying it and say it's just users using the same email/password on other sites. With all of the VBulletin hacks that's a possibility, but we know the site is pretty screwed up and that since the original coders left they've been unable to maintain it at 100%.

All we know is that it happens and it needs to stop happening. :P

Maybe because new accounts now have a moratorium on gift purchases? Card fraud and unauthorized account access (computer fraud) are crimes of roughly similar severity, and using pwned account data freely accessible on the interwebs doesn't leave all that many traces.

Why would they do that? is a question better addressed to (1) people who buy hacked accounts -- piracy (unauthorized copying that doesn't involve unauthorized access to a computer) is less severe than computer fraud and (2) people who pay for illegally acquired games -- why dear gods why.

If there were a true vulnerability, there would be far more than the trickle of complaints. Do you have any idea how many hashes have been taken? Do you have any idea how many people use the same password on every site despite better advice?

The number of complaints seem very consistent with poor password and/or computer security.

To get an idea, check this site out - https://haveibeenpwned.com/
It tells me that someone named Nirth had his Email addresses, Passwords, and Usernames stolen from Gawker.

Furthermore, this would not be the first time someone has had his account stolen just to have game codes bought from it with a stolen credit card. You can credit sites like G2A for that...

I've no account at Gawker so it's not me. I just thought it was weird that there are quite a deal of complaints about it but you're probably right. That said, that doesn't mean that GOG doesn't have less-than-average security when it comes to login.

Maybe 2 factor authentication should be opt-out instead of opt-in but that might increase customer service cost unnecessarily. Of course, higher password requirement would be good (20 symbols+, at least a few letters, numbers and special symbols etc..)

GOG can definitely improve security, but given the rate of complaints on GOG vs on Steam I think they're doing OK. They're definitely handling saving CC details smartly - the token they save doesn't have any personal info and only works from GOG, so that's better than a lot of places already.