Long story short is someone got a database of emails/passwords from somewhere (not our database, because the vast majority of the emails attempted were never in our system). But they were trying around 500 emails per second for about 24 hours before I noticed an awful lot of old users were logging in out of the blue and doing nothing. They ended up successfully logging into 1,458 accounts (wherever they got that email/password database, it must have been huge).
For now, I wrote a script to reset all those user's passwords automatically and also changed the XenForo_Model_Login::countLoginAttempts() method to be based on IP address (not username/email), and made it based on the last hour of login attempts. Also made the cleanUpLoginAttempts() method based on an hour (of course).
Not a huge deal since we've handled it on our end already, but might be something to think about in the future to prevent brute force login attempts that span more than a single username/email.