Steam Password Change Day
Steam Guard notification of a login attempt from a French IP. That password was 9 days old, 30 random, reasonably high entropy characters long.
Valve seriously needs to fix their InfoSec stance. Brute force attacks should not be this easy, nor should they leak so much information about how successful they are and/or associated email addresses and 2FA info.
It's 2018, how can you trust a digital store that doesn't rate limit login attempts and leaks like a sieve?
Steam Password Change Day
Three nearly simultaneous Steam Guard notifications of login attempts from Russia, Mozambique, and the Canton of Geneva. That password was less than 24 hours old, 42 characters, high entropy.
In what fucking real world scenario would a person be trying to login to the same account from IP Addresses in Russia, Mozambique, and the Canton of Geneva at the same time? It might be an interesting spy drama to read, I guess?
Weirder than Usual Steam Password Change Day
This morning got an email from Steam "Account change successful" saying my email address changed on my account. Missing initiated by IP address/country code fields (just said "ipaddress" and "countryname" instead). I suspected a phish, but if so a damn good one, including passes according to my email provider for SPF/DKIM/et al for the normal noreply@steampowered.com email address such transactional emails come from. Has left me very spooked.
Weirder than Usual Steam Password Change Day
Email address associated with account seems to still be correct, and inventory seems untouched.
That previous password was 64 characters and lasted not even a week.