The guy said brute force but meant credential stuffing.
Basically using an army of remote compromised devices to use known user name password combinations. If they used the same email and password that was found on another compromise, then their account would successfully be logged in first try from a unique ip each time.
But if I request it there, after its federated everywhere, what happens?