Thanks for reaching out about this. This situation is currently being investigated.

If you don't check the "save this card for later use", the card info is not saved. We never store card details directly in our database.

Worth noting that an option to check and remove the card number is at the top of your order history.

We never store your card details directly in our database. If a card is saved, a secure, encrypted token is created for future use, therefore there is no need for us to keep the actual card details.

We’ve completed a thorough analysis and we did not identify any security vulnerability on GOG.COM. According to our logs and the investigation, no such situation has ever happened to date, and we can assure you your accounts are safe.
The situation in question is indeed very strange and we’ll contact fronzelneekburm directly to discuss details, and identify the irregularities that occurred on both accounts.
Given this opportunity let us give you an overall reminder/word of precaution - stay safe people! Have 2-step authentication on your GOG accounts, and use official and updated browsers.

Let me jump in quickly with a few words of clarification to Chandra's post, as I think she misspoke a bit. We have identified an irregularity between the two accounts from the first post, but taking into account personal nature of this case we will not be commenting publicly with details. We're in the process of gathering all the data and we will reach out to both parties to investigate further.

On the other hand we haven't identified any security issues in our infrastructure, or any other instances of such issues, so we wanted to let everyone concerned know, that your accounts are safe.