The system receives a stream of authentication events, which are associated with authentication events. Next, the system attempts to detect a formation of authentication events, wherein a formation comprises a time window of authentication events that satisfy a formation criterion, which is based on one or more of: a username for the authentication attempt, an Internet Protocol (IP) address from which the authentication attempt originated, and a resource identifier for a computing resource that the authentication attempt was directed to. If a formation is detected, the system determines a number of valid usernames in the formation. If the number of valid usernames is one or less, the system computes a username similarity score for authentication events in the formation, which is a function of a string distance between usernames in the formation. If the username similarity score exceeds a threshold value, the system reports a potential username guessing attack.