Okta, a huge company in the auth as a service world, had a nasty bug where people with usernames longer than 52 characters could log in without providing the password (as long as there was a previously cached successful login). https://cybernews.com/security/okta-authentication-vulnerability/