About account safety

[YoriMori]

I have a question about 2fa and Account safety in general.
In a perfect scenario, you have a username and password that only you know and a mail/account/phone only you can reach for the purposes.

In a scenario where someone finds out your password, tries to access your account from another IP adress or machine, is 2fa code required for them to?
Is it site exclusive, or in-game exclusive or does it include both?

I had an IP from Brazil yesterday trying to breach and a few friends had it happen too, despite the password changes and double checks, it feels weird to see.

Of course I changed my password and checked everything, but the thought persists.

[Nobuemon]

2fa is required when you log into the game, however the request is sent before the password is checked. This does not mean someone knows your password, it is just an oversight when the client was designed.

TLDR Recieving a 2fa request from the ingame check does not mean your password has been compromised

[YoriMori]

That's good, what if they know but are on a different machine/IP than you, does it protect you aswell, in case only you have access to the 2fa code?

[Skuddy]

someone would need to know your account name, password and get the 2fa code to log into your account successfully from a random ip. that's the entire point of 2fa.

[YoriMori]

Good, I thought so but was not entirely sure how it functioned.
Thank You both so much!