It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionI think my account got hacked(55 posts)(55 posts)
(55 posts)
Pages:
1
2
3
4
This is my favourite topic
Posted June 06, 2015
On closer inspection, it's not quite clear. They changed the gift interface last time I checked. It would appear that only two games were gifted. I'm also concerned that unless the perpetrator logs out on his/her end the perp will still have access to this account.
Posted June 07, 2015
avatar
Grargar: Hmmm... the plot thickens.
avatar
gunsynd: Very strange,I come here and no where else.I start up Wise Care 365 and there is
always privacy risks that need to be deleted.Coincidence?
Only happened is the last three weeks.
These tools mean cookies and other traces as privacy risks. Just you can normally access all cookies.
avatar
Grargar: Oh boy... this is getting more and more worrying.
avatar
HypersomniacLive: Question is - are they getting emails+passwords off of GOG and trying them on other sites or vice versa?
not from GOG, the website (forum) and Galaxy client encrypts all data using TLS 1.2.
avatar
Grargar: Hmmm... the plot thickens.
avatar
timppu: The obvious answer would be that the people with hijacked accounts used the same email and password on some other service, whose username/password lists were breached. Didn't someone mention using the same password for e.g. Wartune, and that its accounts were hacked?

So it may well be it is merely coincidence that these hacked accounts happened after Galaxy launch. Maybe due to TW3 launch GOG.com simply got so many new users (or old users which were inactive before) with widely used passwords, and also more attention from hackers trying to use the same email/password.

If two-step authentication comes, I hope it will be optional (enabled by default is fine by me, as long as I can disable it), OR limited only to cases where someone tries to e.g. change the password and/or email. Otherwise I will have to re-enter the verification code probably every time if I visit GOG.com with a web browser, as I've configured Firefox to delete cookies and other temporary data on exit.

Then again, if the reason for changing your email is because your old email has become non-functional for some reason, how can you change the email address to a working one then? The verification code would be sent to the non-working email, right?
Right. This makes more sense.
avatar
Grargar: Oh boy... this is getting more and more worrying.
avatar
DyNaer: i'm wonder if GOG is affected by this -> https://weakdh.org/ (it's way above my knownledge)

even the latest release of Firefox 38.0.5 (stable) is vunerable, in other hands IE11 (with the latest update) isn't...
Nope https://www.ssllabs.com/ssltest/analyze.html?d=gog.com&latest
Post edited June 07, 2015 by DanielRuf
Posted June 07, 2015
avatar
jpilot: Sorry, I didn't want anyone to panic. :(
You could go to your account settings page and verify that your email address is still yours. If it is and you don't visit that wishlist again, you should probably be okay.
avatar
j0ekerr: I was being sarcastic, I doubt a script that shows a javascript alert with just a 1 is capable of much mischief. And if there were any further javascript code, I don't think it'd be at that one page.

That said, I think it's highly improbable that an attack might come from there, but it is a possibility, A remote one yes, but a chance still exists. So it most certainly should be fixed soon.
Right. And I think Chrome and others would block it.
Posted June 07, 2015
avatar
gunsynd: Very strange,I come here and no where else.I start up Wise Care 365 and there is
always privacy risks that need to be deleted.Coincidence?
Only happened is the last three weeks.
avatar
DanielRuf: These tools mean cookies and other traces as privacy risks. Just you can normally access all cookies.
avatar
HypersomniacLive: Question is - are they getting emails+passwords off of GOG and trying them on other sites or vice versa?
avatar
DanielRuf: not from GOG, the website (forum) and Galaxy client encrypts all data using TLS 1.2.
avatar
timppu: The obvious answer would be that the people with hijacked accounts used the same email and password on some other service, whose username/password lists were breached. Didn't someone mention using the same password for e.g. Wartune, and that its accounts were hacked?

So it may well be it is merely coincidence that these hacked accounts happened after Galaxy launch. Maybe due to TW3 launch GOG.com simply got so many new users (or old users which were inactive before) with widely used passwords, and also more attention from hackers trying to use the same email/password.

If two-step authentication comes, I hope it will be optional (enabled by default is fine by me, as long as I can disable it), OR limited only to cases where someone tries to e.g. change the password and/or email. Otherwise I will have to re-enter the verification code probably every time if I visit GOG.com with a web browser, as I've configured Firefox to delete cookies and other temporary data on exit.

Then again, if the reason for changing your email is because your old email has become non-functional for some reason, how can you change the email address to a working one then? The verification code would be sent to the non-working email, right?
avatar
DanielRuf: Right. This makes more sense.
avatar
DyNaer: i'm wonder if GOG is affected by this -> https://weakdh.org/ (it's way above my knownledge)

even the latest release of Firefox 38.0.5 (stable) is vunerable, in other hands IE11 (with the latest update) isn't...
avatar
DanielRuf: Nope https://www.ssllabs.com/ssltest/analyze.html?d=gog.com&latest
Oh,just cookies thanks for that clarification.I can take the frown off my face:-)
Posted June 07, 2015
avatar
DanielRuf: These tools mean cookies and other traces as privacy risks. Just you can normally access all cookies.

not from GOG, the website (forum) and Galaxy client encrypts all data using TLS 1.2.

Right. This makes more sense.

Nope https://www.ssllabs.com/ssltest/analyze.html?d=gog.com&latest
avatar
gunsynd: Oh,just cookies thanks for that clarification.I can take the frown off my face:-)
Also never heard of this tools but it seems to be something like CCleaner and other alternatives like BleachBit.

Real privacy risks can only be detected by solutions with DLP (Data Loss / Leakage Prevention) integrated.
Posted June 07, 2015
avatar
gunsynd: Oh,just cookies thanks for that clarification.I can take the frown off my face:-)
avatar
DanielRuf: Also never heard of this tools but it seems to be something like CCleaner and other alternatives like BleachBit.

Real privacy risks can only be detected by solutions with DLP (Data Loss / Leakage Prevention) integrated.
Yes,I use it with CC and they work together well.There is a free version also.
Posted June 07, 2015
We should try and get some sort of two-step verification added. I've done a quick seach of the features wishlist, and here are some ongoing campaigns we could support (newest one is mine):


https://www.gog.com/wishlist/site#search=verific
Posted June 07, 2015
avatar
arturotuono: We should try and get some sort of two-step verification added. I've done a quick seach of the features wishlist, and here are some ongoing campaigns we could support (newest one is mine):

https://www.gog.com/wishlist/site#search=verific
After seeing the Javascript bug, I'm hesitant to go near wishlists or Galaxy.
Posted June 07, 2015
avatar
arturotuono: We should try and get some sort of two-step verification added. I've done a quick seach of the features wishlist, and here are some ongoing campaigns we could support (newest one is mine):

https://www.gog.com/wishlist/site#search=verific
avatar
DkryptX: After seeing the Javascript bug, I'm hesitant to go near wishlists or Galaxy.
right click, open in incognito tab / safe browsing / private modus ;-)
Attachments:
wishlist_2fa.jpg (161 Kb)
Post edited June 07, 2015 by DanielRuf
Posted June 18, 2015
Hi!

First off, I'd like to apologise to all who have experienced account hacking on our site over the past couple of days. We're hard at work to make this less of an issue and less likely to happen - but I understand how frustrating it must be to lose access to your games.

Having said that, there's a new measure that will help us pick up on hacked accounts more easily.

If your account e-mail changes, you will get an automated message.

It that looks like this and has the new e-mail address, the old one, the IP currently in use (together with estimated location), and the OS and browser of the current user.

If you get such a message and it wasn't you who changed the email address, contact us.

Use the link at the end of the message ("contact our support team") to let us know it happened. You'll be redirected to our contact form - here's an example of how to fill that in.

We do our best to get back to hacked account emails as soon as possible, and to change the e-mail addresses as quickly as we can and restore the fully functional accounts to their rightful users.

IMPORTANT:

1) When contacting us regarding a hacked account, you must replace the e-mail address with one you have access to - otherwise, our reply will end up at the hacker's e-mail address, which you have no control over or access to.

2) Please do not send multiple requests to support - if you do, your request is pushed to the back of the queue again. If you feel the need to add more details to your support request without getting bumped back, you can do so by replying to the automated support reply you will get with your Ticket ID.

3) As soon as you get access to your account back, please change your password. It may be a simple thing, but please don't forget. It will mean the hacker once more lost access to your account for sure.
Pages:
1
2
3
4
This is my favourite topic
Community
General discussionI think my account got hacked(55 posts)(55 posts)
(55 posts)