Thanks for these details! I believe you and understand this must be really frustrating.
At the same time, I mentioned in my previous message, that the app type of “Machine to machine” to which the blocked users / IP addresses attempted to log in with the username password, is not intended for this login flow, and thus it’s hard to predict the behavior and expect our systems work per design. This is not an app to which users log in be default but entities representing credentials to interact with other APIs.
I can recommend recreating user accounts and preventing them from logging in to any Machine-to-machine app. To do so, please update the enabled for the S** app grants only to include the Client Credentials one:
