Sounds like a great practice. You don't let the spammer know they're found out, and if you call customer support about it they are able to tell you what's wrong after you've verified extra info. Would you rather they give hackers access to lock you out or unlimited access to keep trying?

Security by obscurity is none at all, the customer/hacker can call up and provide information/pretext no problem - plus the information is available on public sources (such as this one) on why the issue occurs - a smart enough attacker can just use other proxies until it finds one you didnt ban, whereas legit users are probably SOL.

Blocking known source of brute force attempts and attacks is not security by obscurity and it should be a mandatory practice.

Run a website of any importance and you will quickly be shocked at the amount of malicious traffic that keep coming from Tor/DigitalOcean/VPN/openproxy and a few other sources.

Just to clarify something, I was a legitimate user with a strong password (100 character) and 2FA enabled.

And they blocked me.

They didn't tell me why, I figured it out on my own inadvertently.

I wasn't on a junky free VPN, I was on a corporate VPN service.

And I was blocked, worse I was given false information about my password being incorrect... and worse still, given that they assumed someone was trying to enter a fake password, they never emailed me to let me know -- I had to contact them.

Plenty of legit reasons for someone to use a VPN. I'm relatively certain nobody from the telco in Australia who set up the VPN had been trying to hack Namecheap, looks more just like someone found a way to classify that IP as a VPN and blocked it.

And look, to put the nail in the coffin, they were more that willing to tell me the email address to check for the reset password via live chat.

Anyway I tend to be the guy harping about security, but when they start banning VPNs just for being a VPN I don't think that's secure, I think it's obnoxious. We should encourage people to use VPNs, not make it annoying for them.

Proper procedure would be to let the bad guy try, block the IP (or better yet, browser finger print), let them know why they were blocked (in case they aren't a bad guy), and (if the owner didn't have 2FA) send the owner an email saying someone was trying to get access but wasn't successful.

For users with 2FA, all you'd ever really have to do is send an email to the owner, and / or access distribution list, letting them know when a certain user signed in. I wish more people offered this service, getting access notifications when any admin signed in would be key for helping me figure out what task broke something if I have to go fix it.