I recently installed a login security plugin and it reported an attack from Sweden using the login of one of our users. The username wasn't admin so they weren't guessing at the password for that.
The username isn't listed on the website anywhere that I'm aware of, so I'm wondering if WordPress gave it up somehow, or if the user's computer did. If the user's computer gave up the username, wouldn't they have been able to grab the password too?
This is the first time I've seen a brute force attack against a real user so it has me wondering.