Basecamp successfully blocked an hour-long credential stuffing attack targeting its platform on January 29. Only around 100 out of the company’s advertised user base of approximately 3 million accounts were affected. The attackers made approximately 30,000 attempts to access Basecamp accounts over the duration of the attack which kept going for roughly one hour, from a large range of IP addresses. The IPs used during the attack were blocked to slow it down and, eventually, a CAPTCHA system was enabled to effectively put an end to it. All of the unauthorized access was gained using the correct username and password for the account.
Source: https://www.bleepingcomputer.com/news/security/basecamp-successfully-defends-against-credential-stuffing-attack/