Context (Can Be Skipped)
A day ago, I unknowingly installed malware that I assume has provided cookies belonging to multiple sites that I actively use to the software publisher. I’m not sure of what exactly the malware ran (what they did / what happened) though.
Today I had a heart attack (sarcasm) as I noticed the bad actor gained access to my Steam account and Roblox account and attempted but failed to logon to my LinkedIn account probably to troll and defame me.
LinkedIn detected the suspicious activity and prohibited the attacker from accessing my LinkedIn account but somehow, the attacker logged on to my Steam account and Roblox account. But there is something awfully weird about this, which is that they bypassed 2FA - I have auth-app based 2FA enabled on both accounts. I’m not familiar with computers, software and cybersecurity but, when you have cookies (assuming that’s what the bad actor acquired from me), are you able to bypass these checks like this? I cannot think of how they accomplished what they have as a person lacking knowledge in this field. I even have account session protection enabled but that seemed to have failed to protect me.
They were unable to steal - as in fully takeover my Steam and Roblox accounts, however, they did log on to them. The only damage they did was purchase something on Steam using Steam Points. This could have gone worster. I’m pretty lucky in this regard. I mean, just imagine, they could have caused my Roblox account to be terminated, they could have deleted my Steam games, they could have traded my Steam possessions to themself etc. I survived what could have been a nightmare for me.
I was notified about these sessions through emails and afterwards immediately cleared my browser cache, uninstalled the malware, and reset passwords. If I am notified of further activity coming from the bad actor, I think I’ll even factory reset my computer, if I have to, which is the device I installed the malware on.
My Question
However, I made a huge discovery. The bad actor who gained unauthorized access to my accounts appears to be from Russia, according to a logged Roblox session and I have their Steam username as well. Getting back to topic, I am not from Russia, is there a Roblox feature that can limit sessions to specific countries? If not, I believe it would be in my best interest to request this sort of feature so I would write up a feature request if this feature does not exist.
It would really be useful and improve my UX, because just a week ago I was notified that somebody from the U.S. logged onto an account of mine that was terminated (dumb bad actor, what was the point of that) and that was just annoying to be notified of as it wasn’t a source of concern for me. Country-based session limit would really be a great new layer to security if it doesn’t already exist.