Magnitus: crazy_dave, my worry is not about the security of GOG's website.
My worry is that the security of your authentication on GOG (the ability to prove to GOG that you are the guy who created the account and bought the games) is solely dependant on the security of your authentication on your email account which for web email providers seems to be non-existent (ie, if they somehow manage to get the password of your email account, they might as well be you for all intent and purposes).
So, this makes for a pretty weak authentication.
If someone manage to figure out your email password through some hackery, then they can change your email password, then use your email to change your GOG password and they are set.
btw, security of credit card info is a non-issue. You are insured against fraud by your credit card company which is the only reason why you should even consider buying stuff online.
Date of birth seems to be sensitive information, but that is only because some companies are under the impression that this is highly confidential information (meaning when it's your birthday, you should hide it and tell nobody about it).
Email info, telephone number and postal code are annoying mostly because of spam, but unfortunately, GOG does store your email info.
Overall, authentication methods that rely mostly on semi-private information are kinda inadequate and we need to come up with something better.
The person needs your e-mail password, then they also need to hack your GOG password (which would probably just involve them saying they need to resend the password), but more importantly they need a reason to go into your GOG account after getting into your e-mail account. Without CC info, no personal identification, etc ... there is no reason to hack your GOG account if they already have your e-mail account hacked. Because that is what they are after. They don't care about GOG. There is no reason for them go there because the personal info in your e-mail account is what they are after in the first place.
Putting more personal info on the web makes that account much less secure because then people will hack that site to get at that personal info. Identity theft is still important because while you are insured against credit cards you own, someone can use personal information to get more stuff with which to impersonate you on actually important information - which leads to so much worse things to your finances than simply losing your GOG shelf. And in fact if there is more personal, actually identifying information on GOG, that makes it more likely that they will attack your GOG account from your e-mail account in order to access that information. The more and more important the personal information stored someplace, the more likely it will be attacked to get at that personal information.
If they've hacked your e-mail address, then that is what they were after in the first place, not your GOG shelf, which they could care less about. If they've hacked your e-mail account, that's what they wanted. Again there is no reason to attack your GOG account once they've done that because it contains nothing of value. Putting truly private & identifying personal information in more places on the web makes that information much less secure and should only be used in cases where it is absolutely necessary to do so. Otherwise you are putting yourself at risk for real fraud and identity theft which is much harder deal with. You are asking to be exposed to a much greater risk in order to mitigate a very small risk.
