We just got the "Potential Intrusion" email after 173 failed login attempts. Our legitimate user had been logged in and was replying to comments, and she was abruptly logged out. When she tried to log back in, it forced her to reset her password.
However, after resetting her password, she was booted out again, and ended up in a loop of having to reset her password.
I changed the "Match Time" setting from 120 to 1 and she was able to reset her password and successfully log in again.
It almost seems like LSS was thinking she was the attacker -- even though she obviously wasn't.
One idea: I've recently changed our varnish cache settings, and it may strip some cookies. Does LSS look at any cookies for logged in users?