Their data shows that 2.8% of the unauthenticated attempts were made by human visitors. This suggests that most of these should be attributed to “human error” (e.g., typing the wrong password) and to the initial one-time 2FA activation process.
The numbers also show that another 1.8% of the unauthenticated visits were made by benevolent bots (e.g., search engines, legitimate crawlers, RSS readers, etc.) whose numbers would certainly be much higher, if not for the common practice of blocking the login URLs using the robots.txt file.
The remaining 94.1% of the visits were made by malicious automated tools - the kinds that are used to discover and exploit password-related security holes. Simply put, this means that on average 15 of every 16 visitors to your login page have ill attentions in mind.
The seemingly high ratio of malicious visits is, in fact, all but expected - especially considering the recent waves of large-scale Brute Force attacks and the overall increase in APT events and other password-related hacks.
That connection becomes even more evident from looking at the trending reports. For example, while observing the timeline of blocked attempts, it is easy to spot a distinct correlation between the steep increase in number of malicious access attempts and the reports about the Fort Disco attack, which surfaced throughout August and September.