A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.