Meridian Outfitters forensic brief
Credential stuffing burst isolated to one UTC hour.
The day was quiet except for a concentrated authentication attack from one source. The same IP browsed the site shortly before the burst, opened the login page twice, then generated only failed login attempts for the rest of its observed activity.
Requests Per Hour
Hourly request volume, with the attack hour highlighted in red.
Reconstructed Timeline
Observed behavior from 203.0.113.66.
Initial visit
Requested GET / and received HTTP 200, likely confirming the site was reachable.
Login page loaded
Requested GET /login and received HTTP 200.
Login page revisited
Requested GET /login again, then paused for roughly 17 minutes before the burst.
Failed login burst begins
Started sending POST /api/login attempts, all returning HTTP 401.
Burst ends without success
The same IP accumulated 137 failed login attempts and no successful login response in the log.
Recommended Mitigation
Rate-limit and temporarily lock out login attempts by source IP and account after a small number of 401 responses, with alerting on concentrated failures against POST /api/login.