So one of our players has been... looking under the hood of our game and website and noticed that he was able to send 1250 login/email/pw requests to our Playfab API endpoint without any rate limiting.
They pretty much were able to call as many times as they wanted using any combination of email/pw so this could be used for an attack on the playfab account system quite easily.
Those login calls show up in our API graphjic as well so... are there any counter measures in place by Playfab?