I don’t mind that they have 2FA features in their app. I mind that using SMS for this has been known to be bad practice for years and they’ve tried to leverage that insecurity to push users to the Steam app. It’s reckless and this current data breach is only possible because of it.