I am having the same issue, and it is worrisome for a different reason: It represents a vulnerability in the Unreal Engine itself.
I have seen similar posts in other forums (which I am not allowed to respond to, because I am a developer and I don’t game on this account) and the general pattern seems to be that bots are cycling through accounts trying passwords at random hoping they will get in. There are multiple ways to enter passwords, so they probably are not even trying to use two-factor to login (because of course they would not be able to guess that), hence why you wouldn’t get a notification. In short, the account is secure. There’s no way someone could break into your account that way.
The real problem is that it technically means that anyone can shut down any account they like as often as they like simply by knowing the email address associated with the account. One could very easily, for example, program a bot shut down an entire company that uses the Unreal Engine simply by knowing the email addresses that the company uses in association with the Unreal Engine. The boy would just need to make X failed attempts every 2 hours forever and they would no longer be able to proceed with any work. That’s a very VERY serious vulnerability with many possible solutions. I have seen bots do that with older systems and they really don’t want to be subject to that attack.
In order to resolve this issue they should first ensure that if someone has two-step authentication enabled, it doesn’t count a login attempt as an actual attempt if they are not trying to login that way. There is absolutely no reason to lock an account in this circumstance because even if they brute force you and eventually get it right it still would not actually let them into your account.
From there they need to fix the way the accounts are locked. My preferred approach is to use a combination of two approaches: In the first, the account is only locked within a geographic range. If, for example, someone half a world away tried to break into your account or - worse - tried to set a bot to perma ban you - it wouldn’t affect you. By itself that approach isn’t perfect though because a proxy or VPN could circumvent such protections and it wouldn’t otherwise protect you from an attacker in the same region. Still, it’s a useful layer of protection. The second approach is to keep a log of the last X IP addresses that were successfully used to login. In this case, if you successfully logged in at your home and office IP address and your account is locked it will remain unlocked for access attempts from those IP addresses. For an office with a static IP this would by itself be sufficient, but since most people get a new IP address every few days, and most people I know like to work from home, it means that if this approach is used by itself they could still get locked out when their IP address changes. Through a combination of the previous two approaches the system could at least minimize the risks.
Finally, I would change the email they send people that get locked out. The email says: "Feel free to [EMAIL=“firstname.lastname@example.org”]contact us if you need help. " , but if you write an email to that address you get an auto response that says: “Thank you for your email. This email address is not monitored. For support, please visit http://help.epicgames.com.” , but if you go there you will find that there is really no category whatsoever to assist with an account under attack. At most you can fill out a bug report form. Of course, you can’t even do that without being logged in. Since this technically affects my ability to access the marketplace I chose to use that email to contact them again, but overall the way they respond to this attacks is very unprofessional.
There are actually quite a few other protective measures they could take, but they at least did one thing right: They don’t reset the password. Another level of this type of attack is to force users to change their passwords repeatedly because on average a user will eventually use a password used elsewhere, and the attackers usually get your email from other compromised websites which means they usually have variations of the passwords you use to begin with. Of course, two-step verification does away with that concern, but who wants to be stuck changing their password every two hours indefinitely?
Another positive is that while they won’t let you create a new project while you are locked out, you can open existing projects as discussed here: https://answers.unrealengine.com/questions/658636/how-to-use-unreal-engine-4-offline.html , but that will only get you so far. (which is another issue entirely), but this of course doesn’t help affected gamers.
I’d really like it if someone in an official capacity could enlighten us as to how they plan to deal with this growing problem, or if they are just going to wait until higher profile developers are permanently locked out of their accounts to do something.