I just got the email from haveibeenpwned. F Trello.
You must log in or register to comment.
It may be reasonable to block all logins for a time if they detect an attack like this
That would be a P1 incident and probably violate SLAs depending on the duration.
Inserting a literally meaningless delay like 5 seconds is sufficient to make your service virtually impenetrable to mass bruteforce/stuffing attacks. Credential stuffing become untenable when your trying to stuff 1million creds with a 5 second cooldown. Most normal users who would hit it would just think their wifi or cell service hicupped.
