Yeah for sure, a few attempts isn't a problem IMO, even only say 6 digits there's too many permutations.
> I have used 1000 different machines (to achieve concurrency easily) and IPs to send 200k requests (that’s 20 percent of total one million probability) in my tests.
I'm just surprised nobody looked at a dashboard and said "huh this account is getting 200k requests", surely that should be raising red flags?
How many requests does IG handle per second? I am not even going to guess a number but I am sure 1000 specific requests would drown in that. So you would need a dashboard that specifically visualizes this kind of thing. Do that and you are now protecting yourself in one type of scenario. But there are endless other scenarios that you still wouldn't see.
I'm sure IG gets several orders of magnitude more than 1000s of requests per second. Even if a dashboard existed visualizing excess request traffic per route per user, when you're talking about this kind of request volume, there is an indexing lag + a reporting lag + alerting lag (assuming there is alerting on this specific scenario on top of the dashboard) + human or automated response lag. It sounds like this attack could be completed in minutes rather than hours or days, it's feasible that it would have succeeded well before anyone got around to mitigating it.
But once you know that this is a specific attack surface, it's far easier to limit the surface (fix the problem) rather than build a dashboard that a human has to monitor perpetually.
I'm surprised that it's limited to just numbers. Introducing letters and symbols would significantly increase the number of permutations and decrease the odds of a successful brute force attack.
I always find it weird that if I accidentally enter the wrong code, I get to try again instead of being sent a new one.