This article is pointless clickbait - what percent of systems don't have some sort of throttling or lockout after X number of bad guesses - damn few I would say. Even the most basic, low budget systems I have developed or worked on have throttling rules in place - many with exponentially increasing timeouts that would prevent this sort of attack.
If a website/system does not implement even the most basic security practices, then there are probably a lot of easier ways to hack into in than trying 100,000+ different passwords in a row.
It reminds me of the 4-digit PINs on payment cards --- yes, the "keyspace" is tiny, but you're going to be locked out long before you get close to exhausting it.
Given the number of services that turned out to use plaintext or trivial password hashing (e.g. MD5), I would bet there are a bunch of services out there that do not effectively limit OTP attempts.
It’s been a long time since I did any work on a real authentication system — since before TOTP was common, anyway. I appreciated the post and found it interesting.
If there's a leak of valid usernames or email addresses, for a system that has a few million users, that has a lockout after 10 wrong guesses, then you could gain access to one account for every 10,000 lockouts.
If a website/system does not implement even the most basic security practices, then there are probably a lot of easier ways to hack into in than trying 100,000+ different passwords in a row.