Over the last two weeks, I've started seeing entries in the activity log that concern me. Attempted log-ins appear that are labeled as "Wrong Password' in the action column -- but the description column actually has a real username. Always before, I'd just seen those entries show up with trial-and-error usernames like "manager" or "admin."
Does this mean that the username is compromised? It's not one that should be an obvious guess. But it's also clearly not log-in attempts by the actual user, since the ip addresses (there are several) do not match the actual user's address.
Is this cause for concern? There aren't a huge number of these -- maybe a dozen in as many days -- but I wasn't sure what it meant. Is there some reason other than a compromised username that an actual username might show up in the description field accompanying unauthorized attempts to log in?