People use already compromised passwords 41% of the time when logging into email, streaming services, social networks, or any other online services, Cloudflare’s analysis reveals.
Password reuse is rampant, as many users recycle credentials across multiple services, “creating a ripple effect of risk when their credentials are leaked,” Cloudflare, a cloud security company, warns.
Cloudflare analyzed traffic between September and November of 2024 and discovered that 41% of successful logins across websites involved already leaked or otherwise compromised passwords.
The real percentage might be even higher, as Cloudflare used its own database of over 15 billion leaked passwords, including the dataset from the Have I Been Pwned service. Often compared to the backbone of the modern internet, Cloudflare analyzed around 20% of the web behind its 30 million internet properties.
“Even after major breaches, many individuals don’t change their compromised passwords or still use variations of them across different services. For these users, it’s not a matter of ‘if’ attackers will use their compromised passwords, it’s a matter of ‘when,’” the tech giant said.
The situation is worse when counting all authentication requests, including unsuccessful login attempts. Fueled by bots, 52% of all detected authentication requests contain leaked passwords.
Bots constantly perform credential-stuffing attacks, and the data indicates that 95% of login attempts involving leaked passwords come from bots.
“Bots systematically target websites at scale, testing thousands of login combinations in seconds,” the report explains. “Once bots successfully breach one account, attackers reuse the same credentials across other services to amplify their reach.”
Among the frequent targets are popular content management systems (CMS) used to build websites, such as WordPress, Joomla, Drupal, and other platforms.
Researchers found that 76% of leaked password login attempts succeed on WordPress sites, and half of them are bot-driven.
“This is a shocking figure that indicates nearly half of all successful logins are executed by unauthorized systems designed to exploit stolen credentials. Successful unauthorized access is often the first step in account takeover (ATO) attacks,” Cloudflare warns.
Only 5% of login attempts using known passwords are denied on WordPress systems, signaling the lack of security measures such as rate-limiting or multi-factor authentication (MFA).
Cloudflare analyzed login attempts using a privacy-preserving method, meaning the passwords were hashed – converted into a random string of characters using an almost impossible-to-crack cryptographic algorithm. This allows it to compare hashes without knowing the underlying password.
Your email address will not be published. Required fields are markedmarked