Steam Password Change Day
Steam Guard notification of a login attempt from a French IP. That password was 9 days old, 30 random, reasonably high entropy characters long.
Valve seriously needs to fix their InfoSec stance. Brute force attacks should not be this easy, nor should they leak so much information about how successful they are and/or associated email addresses and 2FA info.
It's 2018, how can you trust a digital store that doesn't rate limit login attempts and leaks like a sieve?
Steam Password Change Day
Steam Guard notification of a login attempt from a Columbian IP. That password was 8 days old, 40 characters, high entropy.
Do you trust password security in 2019?
Steam Password Change Day
Steam Guard notifications of login attempts from a Brazilian IP and an Albanian IP. That password was 12 hours old, 40 characters, high entropy.
What the actual fuck is going on? This is ludicrous.
Steam Password Change Day
Three nearly simultaneous Steam Guard notifications of login attempts from Russia, Mozambique, and the Canton of Geneva. That password was less than 24 hours old, 42 characters, high entropy.
In what fucking real world scenario would a person be trying to login to the same account from IP Addresses in Russia, Mozambique, and the Canton of Geneva at the same time? It might be an interesting spy drama to read, I guess?
Steam Password Change Day
Steam Guard notification of a login attempt from a Russian IP. That password was about two months old, 47 characters, high entropy.
Steam Password Change Day
Steam Guard notification of a login attempt from a Brazillian IP. That password at the time of breach was not even an hour and a half old! 49 characters.
Steam Password Change Day
Steam Guard notification of a login attempt from an Indian IP. That password was 46 characters and lasted apparently almost 5 months.
Steam Password Change Day
Steam Guard notification of a login attempt from a Chinese IP. That password was 59 characters and lasted apparently almost 10 months.
Steam Password Change Day
Steam Guard notification of a login attempt from an unfamiliar US IP (a first time I’ve seen a US IP, wow). That password was 57 character and lasted only a few hours. 😱
Steam Password Change Day
Steam Guard notification last night while I was asleep of an attempt from an unfamiliar Thailand IP. That password was 61 characters and lasted almost 10 days.
Steam Password Change Day
Steam Guard notification early this morning of an attempt from an unfamiliar South African IP. That password was 55 characters and lasted about five months.
Steam Password Change Day
Steam Guard notification this evening of a login attempt from an unfamiliar Russian IP. That password was 56 characters and lasted about 11 days.
Weirder than Usual Steam Password Change Day
Email address associated with account seems to still be correct, and inventory seems untouched.
That previous password was 64 characters and lasted not even a week.
Weirder than Usual Steam Password Change Day
This morning got an email from Steam "Account change successful" saying my email address changed on my account. Missing initiated by IP address/country code fields (just said "ipaddress" and "countryname" instead). I suspected a phish, but if so a damn good one, including passes according to my email provider for SPF/DKIM/et al for the normal noreply@steampowered.com email address such transactional emails come from. Has left me very spooked.