Not do downplay this issue, but based on the description, OP had a valid session cookie, and was updating their profile to disable MFA since they lost the code. They weren’t brute forcing logging in.
I haven’t looked into the source code, maybe this is an instance by instance configuration, but login attempts are rate limited. After a few failed attempts, I started getting this message:
Lemmy Error: You’re being rate limited, wait a bit before trying that again.
That was an excruciating interview to listen to. He started off kinda sounding sane, but as time went on, more of his fringe ideas started showing, culminating to that point.