Good question. Memo, do you throttle attempts and/or lockout accounts for bad logins? Of course not sure how they would know usernames as they are not public.
They could just try profile names as usernames. I would bet that in many profiles they are the same.
