Why would doing this to 125K accounts give them access to one account per day? The chances of guessing 6-digtis pin code for each account is the same (10^6) regdless of how many accounts your are attacking
No, this means there is a 98% chance you get _at least_ 1 account.
`1-1/1,000,000` is the probability you fail 1 attempt. That probability to the 4millionth is the probability you fail 4 million times in a row. 1 minus _that_ probability is that the probability that you _don't_ fail 4 million times in a row, aka that you succeed at least once.
The expected number of accounts is still number of attempts times the probability of success for 1 try, or: 4 accounts.
What are the chances of getting 500,000 guesses (4 each for 125,000 accounts) wrong ? My math says 60%, so probably not one account per day, but if they keep it up for a week and everything else holds, there's only a 3% chance they haven't gotten any codes right.
Imagine the extreme case, where they pinged one million accounts and then tried the same code (123456) for each one. Statistically, 1 of those 1,000,000 six-digit TOTP codes will probably be 123456
10^6 digits = 1,000,000 possibilities
125,000 accounts x 4 attempts per account per day = 500,000 attempts per day
---
1-(1-1/1,000,000)^500,000 ≈ 39%
So every day they have a roughly 39% chance of success at 125,000 accounts.
---
At a million accounts:
1-(1-1/1,000,000)^(4×1,000,000) ≈ 98%
Pretty close to 1 account per day
Off by a factor of 4 but the concept stands.
---
And 125k accounts will be close to guaranteed to getting you one each week:
1-(1-1/1,000,000)^(7×4×125,000) ≈ 97%