But I'm not wearing any clothes...

So you're the new emperor? :)

Fucked if I know... I was a bit drunk yesterday! So much so, that I was feeling a hangover before I even went to sleep.

At least one person who had his account stolen already confirmed he had not used Galaxy, so no.

I have Witcher 3, and I've used Galaxy. So have thousands upon thousands of other users. Why aren't our accounts hacked? (I know the probable reason which I've mentioned countless times before, and will mention again in the next reply).

Yep. The most probable explanation at least to most hacked GOG accounts is that said persons have used the same email address and password on other services or sites/forums, whose user details have been hacked. So it is not Galaxy nor GOG nor Witcher 3 which has been hacked; it has been some other, e.g. hobbyist sites or whatever, whose user details have leaked to public. Probably not from just one place, but several hacked sites over a longer period of time.

The internet is full of hobbyist forums and whatever who don't necessarily maintain their site much at all, and wouldn't necessarily even notice if the whole site was hacked and taken over. For instance, right now there was in news that some "islamistic hackers" have taken over lots of such hobbyist sites, also in Finland, and written some pro-ISIS propaganda there or something. They look for passive sites who haven't cared enough to apply e.g, security fixes for their forum software.

This would also explain why the so-called GOG regulars seem to have been safe from hacking: we apparently tend to use more secure and unique passwords in GOG, something that we don't use on dozens of other sites or forums where we created a throwaway account at some point of our lives. Hence, even if e.g. my login details were leaked from some pr0n site I visited 10 years ago, they wouldn't work on GOG.com because they are different. Hence, I am safe.

As for why we have seen so many reports right now when The Witcher 3 and Galaxy Beta were released: obvious answer would be that masses of those, who haven't been actively using their GOG account but considered it as a throwaway account with poor and overused password, have recently come back. The people who possibly haven't cared enough to have an unique and safe password for GOG.com, as they didn't necessarily e.g. have much of games here before.

So as I keep saying: if you want to be safe, use a password in your GOG account that you don't use anywhere else, or only some site whose security you really believe in. You wouldn't use your Gmail, Facebook or Outlook password on a pr0n site, would you? No, you want to keep those primary services safe, hence you use an unique password with them.

Consider GOG as a similar "primary service", and you are fine.

Having said that, yes GOG should implement a two-step verification at least for email and password changes, just so that those with shitty overused GOG passwords would be safer too. Unless, of course, they used that same password also on their email account, in which case the hacker can bypass the two-step verification as well (and hijack the email account as well, while they are at it). :)

Sorry, I don't get to read every thread that pops up on GOG let alone this matter. Thanks for the clarification, though.

Additional to timppu's post, be wary of phishing type scams (inputting account details into 3rd party or faked sites, giveaway sites asking for login credentials, 3rd party downloads of 'Galaxy') and run decent- and updated/ current- anti virus plus take extra care if visiting dodgy sites/ use preventative measures like NoScript and a firewall to minimise risk of keyloggers or forced downloads. If your email is compromised you're also in big trouble, as they can reset passwords and may be able to get log in credentials from any old emails you have sitting in your inbox. Kind of obvious, but don't write passwords down or store them in an obvious manner either. Don't open unknown attachments, don't fall for download 'free stuff' links on unknown sites, keep your OS updated, turn on extensions in windows so you can spot virus.exe.jpg files... you could go on forever on the prevention methods, unfortunately.

By and large, hackers of this type are looking for easy targets that they can target in bulk, they don't want to spend days breaking into an individual account which might contain nothing of value, they want to break into a few per day, minimum, and for them to be worthwhile. You can still be unlucky, but you can also do a lot to minimise the chance of that bad luck with common sense and by doing things like using a unique, strong password. Many of the bulk target methods go for the common password names (eg 'password', go figure), especially when the target site is security naive such things can be easily identified by very simple cryptanalysis and statistics.

One thing is pretty much entirely certain, there is no GOG side breach. Much like the persistent rumours about Origin there simply are not enough incidents for it to be their fault.

It also has to be said, much of the time when people claim they use unique passwords for each site they are actually lying, or perhaps more fairly are incorrect, and have used the password before. In many ways that's only natural, remembering potentially a dozen or so strong passwords is difficult, and mnemonics and the like can only go so far in helping memory. Plus, passwords by their nature are rather limited in usefulness- easy to remember almost always means easier to crack because you're inevitably remembering a pattern, hard to remember and you have to reset them constantly or use lastpass or similar, which got hacked itself recently...

(To be honest I don't really see why anyone would bother much with hacking GOG accounts, if you want drm free games you can just pirate them without going to the bother of hacking or buying an account.)