[thaumaturgy]

A single source of abuse can easily tilt login statistics.

In a recent compromise that I assisted on, the attacker tried 9,000 different credentials before landing on something that worked. This is on a relatively small site that has maybe 100 legitimate logins per day. On larger, more attractive sites, the ratio would only increase as you'd have multiple concurrent attackers trying everything in their combos lists.

We've since built out a small pile of software to detect and prevent this and similar kinds of abuse. It's not yet SOP for small ecommerce sites, but it should be.

...or just use Shopify and let them deal with it.