Oooh.
After updating my knowledge...
Depending on reCaptcha version, I might have not been challenged at all. But not really dependant on version, researchers that tried to circumvent it, easily cobbled together solutions that beat the system 50-80% of the time. I think it is reasonable to assume, the bad guys specialized in beating it have access to a solution that achieves the same results. And even when not, many bad guys are in areas where 5 bucks a day would pay for a lot of actual humans doing the job of solving the captcha manually. And since they have experience, they do it fast. And one can assume that whatever they do, it does pay at least to make a living and pay for electricity and computers.
But after reading about that one guy, that apparantly had his session stolen, not even 2fa is secure.
The danger of 2fa and captchas is, to rely on the security it claims to bring. In case of 2fa there was or is a design flaw, that it does not ask for 2fa again when you change passwords. (You might wanna press there, I am not sure, if itch security is aware of the flaw)
But how to protect against those bad guys. If there is a way for humans to enter, evil humans can think up methods to enter as well. If need be, they just use the front door, manually. Itch is a honey pot. Where else do you find people willing to download software from unknown people and willing to execute it on their system. The latest trend seems to be to release fake/stolen games with payment active.
I guess they just do it manually. Brute forcing is just not done. If they want to enter, they already have some credentials or made a new account. So solving any captchas will give them what they wanted. The case where mass solving of captchas achieves some, is spamming message boards. I do not notice this happening on itch (not since external links were highlighted).