If you or your users experience an uptick in automated "Failed Looker login attempt" emails, this page describes the issue and how to resolve it.
The issue
Automated failed login emails are triggered when someone enters an incorrect password for a valid user's email address on the public Looker login page. These alerts are intended to notify users of unauthorized activity on their accounts.
When an organization authenticates users with a third-party Identity Provider (IdP) such as SAML, LDAP, or Google OAuth, and disables the Alternate login for admins and specified users toggle on the instance, it may still receive "Failed Looker login attempt" emails. This situation occurs when bots bypass the UI and send direct POST requests to the Looker alternate login endpoint.
This scenario can lead to security concerns for users who believe that their accounts have been compromised; however, this notification behavior is by design and doesn't mean that an account has been compromised.
Solution
If you haven't enabled two-factor authentication (2FA) on your Looker instance, we strongly recommend that you enable 2FA.
Upgrade the instance to Looker 26.6.17 or later. This release introduces a patch that returns a 404 error on the targeted backdoor endpoint whenever the alternate login option is disabled. Once you've upgraded your Looker instance, contact Looker Support to enable the corresponding backend feature flag to activate this behavior. The bot requests will be quietly dropped rather than processed by the authentication system, permanently stopping the automated alert spam.
Alternatively, configure a global IP allowlist to restrict access strictly to known corporate network or VPN IP ranges.