Steam Password Change Day
Steam Guard notification of a login attempt from a French IP. That password was 9 days old, 30 random, reasonably high entropy characters long.
Valve seriously needs to fix their InfoSec stance. Brute force attacks should not be this easy, nor should they leak so much information about how successful they are and/or associated email addresses and 2FA info.
It's 2018, how can you trust a digital store that doesn't rate limit login attempts and leaks like a sieve?
Steam Password Change Day
Three nearly simultaneous Steam Guard notifications of login attempts from Russia, Mozambique, and the Canton of Geneva. That password was less than 24 hours old, 42 characters, high entropy.
In what fucking real world scenario would a person be trying to login to the same account from IP Addresses in Russia, Mozambique, and the Canton of Geneva at the same time? It might be an interesting spy drama to read, I guess?
Steam Password Change Day
Steam Guard notification this evening of a login attempt from an unfamiliar Russian IP. That password was 56 characters and lasted about 11 days.
Weirder than Usual Steam Password Change Day
This morning got an email from Steam "Account change successful" saying my email address changed on my account. Missing initiated by IP address/country code fields (just said "ipaddress" and "countryname" instead). I suspected a phish, but if so a damn good one, including passes according to my email provider for SPF/DKIM/et al for the normal noreply@steampowered.com email address such transactional emails come from. Has left me very spooked.