Originally Posted by
txflyer77
Absolutely, it's a real threat. I run a public-facing website that holds significant personal information on our users and we see all sorts of bots trying to brute force their way in. And we're no where near the size of HHonors.
Besides spending points on merchandise, there's also the potential for targeted attacks against specific people in order to figure out where they're staying.
That said, the captcha isn't the solution. Passwords are the solution (plus various tricks to slow down bots).
Like rate-limiting, presumably, which gets you the locked-out-user problem.