The Breach That Never Happened Issue #007
The Login Form That Became a Mass Account Takeover. How the absence of a simple rate limit allowed an automated attack to compromise accounts without ever stealing a password.
Severity: Critical
Time to Exploit: 15 minutes
Cost if Breached: $2 to $6 million
What Happened
During testing of a customer authentication system, we discovered that the login endpoint accepted unlimited verification attempts without any restriction.
The application used six-digit PIN codes for authentication. There are only one million possible combinations. We wrote a simple script and pointed it at the login form.
Within minutes it was cycling through combinations at hundreds of attempts per second. The server accepted every single request without complaint. We compromised test accounts within the first hour.
At that rate, a real attacker could work through an entire customer base systematically, with no alarm ever going off.
The issue was caught right on time. No breach occurred.
T.L.D.R.
When applications use short PINs or one-time codes for login, they rely on those codes being temporary and hard to guess.
That protection disappears the moment an attacker can try as many combinations as they want, as fast as they want.
Imagine a combination lock where you can spin it a million times a second without it ever locking you out.
The six-digit PIN becomes trivial. The one-time code window becomes irrelevant because the attack is faster than the expiry.
What looks like a security feature becomes a race condition the attacker will always win.

The Impact
An attacker exploiting this could:
• Compromise accounts at scale without needing stolen credentials
• Bypass two-factor authentication through OTP exhaustion
• Access customer data, payment methods, and account history
• Initiate fraudulent transactions from compromised accounts
• Operate continuously with no lockout or alerting mechanism
• Scale the attack to the entire customer base within hours
Real-world precedent: Rate limiting failures have enabled mass account takeovers in banking and fintech applications, sometimes affecting hundreds of thousands of customers before detection.
How To Fix It
• Implement rate limiting on all authentication and verification endpoints
• Lock accounts temporarily after a defined number of failed attempts
• Add exponential backoff to increase the delay between retries
• Enforce short-lived OTPs with strict expiry and single-use rules
• Alert on unusual authentication velocity from a single source or IP
Authentication endpoints without rate limiting are open invitations for automated attacks. The fix is simple and the impact is decisive.
Key Takeaways
If you’re a business leader:
If your login page does not limit how many times someone can try to authenticate, it is not protected by a PIN. It is protected only by how patient an attacker is.
If you’re technical:
Implement rate limiting, account lockout, and OTP expiry at the infrastructure level, not just the application layer.
The bottom line:
A six-digit PIN is strong enough if it can only be tried a few times. Without that limit, it is not a lock. It is a delay.
What You Can Do
[ ] Implement rate limiting on all login and authentication endpoints
[ ] Enforce account lockout after repeated failed attempts
[ ] Set strict expiry and single-use rules for OTPs and PINs
[ ] Test authentication flows for brute force resistance regularly
This vulnerability was discovered during real penetration testing and remediated before publication.
About The Breach That Never Happened
Monthly insights from real penetration testing engagements, real vulnerabilities, real fixes, zero breaches.
Discovered by Penti’s Agent and Penetration Testing Team.
#CyberSecurity #PenetrationTesting #BruteForce #Authentication #PreventedBreach