Couple thing:

1. You are not alone, this happens at a large scale across the board with companies of all sizes.

2. More than likely the abuser did not do it manually, more than likely they automated it

3. As a thoughtful business one may have rolled out all the authentication features/gates if the business picks up, as a starter the safe idea could have been to put it behind any openly available OAuth provider