Yes that's what companies do. I worked on the system there that addressed this. If you can detect a botted login you can lock the account until the real user is able to get new credentials, or block activity in other ways. Not a lost cause at all.

It was very effective when this problem was new. Don't know about the current state of things.