Could have something to do with the lack of a limit on password retries and the fact the website (web app and ICO) returns the following responses when trying incorrect email and password leaking the fact that an email is registered:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "invalid",
"message": "EMAIL_NOT_FOUND"
}
],
"code": 400,
"message": "EMAIL_NOT_FOUND"
}
}
{
"error": {
"errors": [
{
"domain": "global",
"reason": "invalid",
"message": "INVALID_PASSWORD"
}
],
"code": 400,
"message": "INVALID_PASSWORD"
}
}