Credentials stuffing. Attackers can spam a site with logins with common passwords. Too few sites implement good mitigations against this because it's easy to block/lock legitimate users that typoed a password.
This is why I isolate authentication to a separate application. I also implement max attempts per N minutes for IP and User. Most users once authenticated are good for the work day. Auth going down doesn't (generally) affect the work.
