Randalator: That doesn't invalidate my argument. If it's a general vulnerability in Galaxy we would have seen someone with 1.000+ rep getting their account stolen. Or a blue. We'd also have seen a hell of a lot more people getting their account stolen.
But we haven't. The total numbers and the zero rep trend point to a cause outside GOG/Galaxy.
Yep. The most probable explanation at least to most hacked GOG accounts is that said persons have used the same email address and password on other services or sites/forums, whose user details have been hacked. So it is not Galaxy nor GOG nor Witcher 3 which has been hacked; it has been some other, e.g. hobbyist sites or whatever, whose user details have leaked to public. Probably not from just one place, but several hacked sites over a longer period of time.
The internet is full of hobbyist forums and whatever who don't necessarily maintain their site much at all, and wouldn't necessarily even notice if the whole site was hacked and taken over. For instance, right now there was in news that some "islamistic hackers" have taken over lots of such hobbyist sites, also in Finland, and written some pro-ISIS propaganda there or something. They look for passive sites who haven't cared enough to apply e.g, security fixes for their forum software.
This would also explain why the so-called GOG regulars seem to have been safe from hacking: we apparently tend to use more secure and unique passwords in GOG, something that we don't use on dozens of other sites or forums where we created a throwaway account at some point of our lives. Hence, even if e.g. my login details were leaked from some pr0n site I visited 10 years ago, they wouldn't work on GOG.com because they are different. Hence, I am safe.
As for why we have seen so many reports right now when The Witcher 3 and Galaxy Beta were released: obvious answer would be that masses of those, who haven't been actively using their GOG account but considered it as a throwaway account with poor and overused password, have recently come back. The people who possibly haven't cared enough to have an unique and safe password for GOG.com, as they didn't necessarily e.g. have much of games here before.
So as I keep saying: if you want to be safe, use a password in your GOG account that you don't use anywhere else, or only some site whose security you really believe in. You wouldn't use your Gmail, Facebook or Outlook password on a pr0n site, would you? No, you want to keep those primary services safe, hence you use an unique password with them.
Consider GOG as a similar "primary service", and you are fine.
Having said that, yes GOG should implement a two-step verification at least for email and password changes, just so that those with shitty overused GOG passwords would be safer too. Unless, of course, they used that same password also on their email account, in which case the hacker can bypass the two-step verification as well (and hijack the email account as well, while they are at it). :)