I haven't seen any mentions discussing HTTP request smuggling try. This could cause LP's internal or external load balancers to misdirect requests/responses.
I’ve given this some thought, but I think that this scenario still requires someone to attempt a login with correct credentials. It cannot be the legitimate owner however if the account hasn’t been touched for a year.