The API's are stateless, that doesn't mean they cannot communicate with databases. One simple way is to increment a database count, when an incorrect password is used, and have the API check it.
That also answers your question about load balancing, as they'll check the same database.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
The API's are stateless, that doesn't mean they cannot communicate with databases. One simple way is to increment a database count, when an incorrect password is used, and have the API check it.
That also answers your question about load balancing, as they'll check the same database.