Lack of interest (Failed) Login Attempts Log purges itself when most needed.

[Isil`Zha]

The Login Attempts Log (which can only be made visible via add-ons) has a serious design flaw. It purges the entire log for the user whenever there is a successful login. This means you can almost never track if someone is attempting to brute force a user password over a long period, and even worse, if password guessing is successful then, the logging that would show the perpetual attempts is deleted.

A security log that purges itself when an attacker is successful is all but useless.

 

[Chris D]

The problem is you’re trying to use it in a way that it isn’t designed to be used.

it’s designed to block or restrict login attempts and isn’t intended to be a long term log. While that may be useful, if isn’t the intention here so isn’t a bug nor a design flaw.

If you are using an add-on which makes the log visible, those add-ons probably need to be extending the system to log its own events on a more permanent basis or using a different log entirely.

 

[DragonByte Tech]

If I’m allowed to plug my own add-on here: https://xenforo.com/community/resources/dbtech-dragonbyte-security.5868/ - this might help you

It has “Security Watchers”, where you configure an event (such as “Failed Logins”) and threshold (such as “5 login attempts from the same IP in the past 1 hour”), which then trigger a response (such as “Email webmaster” or “Lock account”).

Locked accounts cannot be used until the person who owns the account unlocks it via a special link sent to their email.

It has many different watchers for many different types of logins. In terms of the scenario you posit in the OP, that would be “Potentially Breached Account” since there were multiple failed logins followed by a successful login.

Might be worth a look, it logs everything separately and doesn’t rely on the login strikes table in XF