This is how they got my Steam account credentials, although I realized the stupid shit I did the second I clicked submit form, and reset my password to random 32 characters using bitwarden. Me! Someone who is deeply technical AND paranoid.

The key here is the hacker must create the most incisive, scary email that will short circuit your higher brain functions and get you to log in.

I should have realized the fact that bitwarden did not autofill and take that as a sign.

Same thing happened to me (not with Steam), but it's also the thought that "this could never happen to me" that leads you to assign an almost zero probability to the problem being a phishing attempt.

> The key here is the hacker must create the most incisive, scary email that will short circuit your higher brain functions and get you to log in.

... and specifically by using the link in the email, yes?

Which is why a properly working password manager is not a strong defense against phishing.

Not a strong defense, but it helps.

But it's also why sites that don't work well with a password manager are actively setting their users up to be phished.

Same with every site that uses sketchy domains, or worse redirects you to xyz.auth0.com to sign in.

Correct. The moral of the story is that hardware MFA and/or passkeys are a necessity in today's world. An infinitely complex password and 2FA are no match for attacks that leverage human psychology.

It's a strong defense that this guy decided not to use

User security that doesn’t meet real users where they are is just nerd theatre.

It works for me. I’m unconcerned if it works for anybody else.

It works for lots of people, until it doesn't. You may well fall victim to such a scheme someday.

That’s almost guaranteed now that I made such a confident statement that it works for me.