Why account is blocked if it doesn't use email/password connection?


I’ve run into strange behaviour of Auth0…

User signed-up with Social connection(facebook). Facebook account is registered for
‘email@nowhere.com’ email.
Auth0 created account for user

  user_id facebook|164.....
      "provider": "facebook",
      "user_id": "164....",
      "connection": "facebook",
      "isSocial": true

Looks OK so far.

Then user tired to sign-in using email/password connection, and used the same email address which is used by Facebook(email@nowhere.com).
After 10 failed login attempts Auth0 started returning “Your account has been blocked after multiple consecutive login attempts.” error and added the following to user’s account:


    "identifier": "email@nowhere.com",
    "connection": "Username-Password-Authentication",
    "ip": "xx.xx.xx.xx"

No “Blocked Account Email” has been sent.

Then user tired to sign-in with facebook - logged in fine.

So, why Auth0 marks account as “blocked” if it’s not actually blocked,
and looks like that account cannot be blocked cause uses only social connection(no email/password connection)?