... instead of locking out the player for an undisclosed amount of time. It is a common security practice and leads to a lot of happy customers. Plus, locking them out of the game doesn't help if a malicious user has already entered the game. You would have instead made problems worse because the current practice prevents the player from finding out whether their account has been compromised.