The user https://de.wikipedia.org/wiki/Benutzer:Ulrich_prokop reports on VRTS Ticket#2026010510002509 about ~ 500 notifications of failed logins in the last month. He does not belief that it a hacker but suspects an server side error.
Any chance to check the server logs for this user?
@Raymond This is standard. Some Goofball is trying out passwords. That's not rare, often, these are just trolls who wanted to trigger notifications. In the past, such reports came across several projects. With a secure password, it is safe to ignore such notifications. If the user is unsure, you can point out the 2-factor authentication to them. With a secure password, you can ignore such notifications.
@Raymond We do have some logs (https://logstash.wikimedia.org/goto/fb93d5be69fe642382ad5b2ba6ee53d9).
The failed logins appear to be coming from the Android Wikipedia app on a tablet. Can you ask the user if they have the app installed on such a device, and if they do, try to either log into it with their current password, or uninstall it?
This seems similar to the situation reported in T398886#10983604, where the app would retry failed logins. That issue was fixed according to that comment, but the app making these login attempts for this user is an older version before that fix. Updating it may also resolve the problem.
And whether they're using an up to date version of the app too - there's been a few issues like this that should have been resolved in more recent releases.
I have no permissions for Logstash. I requested it by it was declined today due to missing NDA. No Problem.
The failed logins appear to be coming from the Android Wikipedia app on a tablet. Can you ask the user if they have the app installed on such a device, and if they do, try to either log into it with their current password, or uninstall it?
"
I asked the user and his answer is: "Yes, that's possible—I deleted the app. Let's see if things calm down now; I'll let you know.."