Hi Dan,
Sorry for the late reply. There is no way to tie the user to the IP address. It seems that the user might not even be signed up yet.
We noticed that within a certain time period the requests come from the same IP address. There are many every second. Eventually the IP address changes.
We do have Suspicious IP Throttling and Brute-force Protection enabled. Shouldn’t those block an IP that fails to login repeatedly?
Edit: oh we also updated to use the 2.0 SPA SDK a couple days ago. From 1.22.1. These failed login attempts are still using 1.22.1, so that seems fishy.