Backfired I guess thanks to 2FA:

http://oi68.tinypic.com/2emgcus.jpg

Not sure what he wants.

This seems to be a weekly occurrence now. Most likely caused by delayed implementation of 2FA as compared to steam.

No, it's a weekly occurrence for two reasons:

1. 2FA is implemented and works
2. People reuse passwords.

Yes, I just enabled it. I meant people still not using it, because its a fairly recent addition as compared to steam (which they would otherwise try first because there are more people there).

I still struggle to understand why hackers would even waste time on hacking a GOG account .It's not like the games are so hard to get your hands on*wink wink* :D.They should concentrate on the big guys that put draconian DRM into the games and ignore this site.Guess new low's in the world of hacking have been discovered :).Cheers

Because they are not after games but after keys for reselling.

Oohh yes, i totaly forgot that our keys are open for business if someone drops in :D.We should cover them with a blanket just to be sure ;).

Still nothing for me... Why am I being ignored by the Russian hackers? Still not enough games? I'm trying my best but noooo, nothing seem to be enough for them...

Are they?

Keys which we had purchased but not claimed?

Yea, I don't get it. You're so much closer to them :D

Guess you must have some strong password then! :D

As far as I understand it they use the hacked account to buy gift key with stolen credit cards. Then they sell the them on sites like G2A. They do that, because you can't buy gifts with newly created accounts.

Uh, didn't know that bolded part. Still, is it what actually happens or is that a guess?

I'm thinking it doesn't make much sense. Suppose a hacker does get in someone's account and makes such a purchase. First of all, as soon as GOG receives notice of a hacked account it would be trivial to invalidate all its purchases. Keys go expired in a second. And seeing as its merchandise is all digital there's not even the possibility it'll be "[in transit | already delivered]" and thus out of GOG's reach.

So we have to assume these hackers can only provide short-lived or already expired keys; and not just we but all those stores must assume it as well. Why would they buy them in that case? If they're being fooled that will only happen once, and if they're knowingly selling dirty keys they might as well not buy anything and just generate a code that resembles a GOG key themselves.

Maybe you know something that wasn't clear to me, or maybe those sellers are both dirty and stupid. Does anybody have more info in this matter?

From GOG's FAQ:
"There are some restrictions for purchasing gifts on new accounts, depending on the payment method used. For credit/debit and PayPal purchases, you need to have at least $10 (or its equivalent in your selected currency) worth of purchases made at least 3 months ago. Alternative payment methods, such as paysafecard, are not affected by these restrictions."

Resellers like G2A don't care where the keys come from. They don't buy them from seller, but are a market place instead. You can directly sell your keys there and they only get a certain percentage of the money for providing the platform.

And most people whose credit card data is stolen don't recognize it right away. The criminals normally have some weeks before the keys get invalidated. It's more than enough time to sell them and get away with the money. When a reseller gets reports about fraud and bans the account, they simply create a new one and continue the same way.

That's definitely different from when I created my account. I obviously did not notice when they introduced this (very justifiable) rule. Thanks.

I see... It works because the way G2A operates is different from what I was thinking of.

Well yes, but surely a GOG user wouldn't take that long to notice a break-in. Even if the thief doesn't change the account's email and password they still would notice due to purchase receipt emails from GOG.

Edit: clarification.