Thanks for considering security!
We don't believe that this is a viable attack. I went into more detail in this post. Authentication takes some notable amount of time because we use bcrypt.
Even if you have an unencrypted database that an attacker gets access to, it would take them significant time and resources to get access to plain text passwords. Through the API, it would take much longer.
CAPTCHAs can help prevent basic bots but they're easy to bypass and are a bad user experience. They also wouldn't help with direct API requests.