Mar 06, 2026 · 5 min read
Cloudflare Says Bots Make 94% of All Login Attempts—And Nearly Half Your Emails Fail Authentication
The company that handles 20% of global web traffic just published its first annual threat report. The numbers paint a grim picture of how the internet actually works.
The Internet Is Mostly Bots Trying to Log In
Cloudflare processes roughly 20% of all web traffic on the planet. On March 3, 2026, the company released its inaugural annual threat report, and the headline number is staggering: bots account for 94% of all login attempts observed on its network.
That means for every human being typing a password into a login form, there are roughly 15 automated scripts doing the same thing. Most of those scripts are running through lists of stolen credentials, trying every username and password combination until one works.
But the report's findings go further than bot traffic. When Cloudflare isolated just the human login attempts, 46% involved credentials that had already been compromised in previous data breaches. Nearly half the people logging into things are using passwords that hackers already have.
230 Billion Threats a Day
Cloudflare's network blocks an average of 230 billion threats per day. That is not a typo. The scale reflects how industrialized cybercrime has become: automated tools cycling through stolen credentials, scanning for misconfigurations, and launching phishing campaigns at volumes that would have been unimaginable five years ago.
DDoS attacks more than doubled to 47.1 million in 2025, with network layer attacks tripling year over year. The largest single attack Cloudflare recorded hit 31.4 terabits per second, a UDP flood launched by the Aisuru botnet in November 2025. Most attacks lasted under 10 minutes, closing the window for any meaningful human response.
The Email Authentication Crisis
One of the report's most alarming findings concerns email. Cloudflare analyzed 450 million emails and found that basic authentication protocols are failing at scale:
- 43% failed SPF checks (Sender Policy Framework, which verifies the sending server is authorized)
- 44% lacked valid DKIM signatures (DomainKeys Identified Mail, which verifies the email wasn't altered in transit)
- 46% failed DMARC validation (Domain based Message Authentication, which ties SPF and DKIM together)
These are the three protocols that are supposed to stop email spoofing. When nearly half of all emails fail these checks, phishing as a service operations can deliver spoofed messages impersonating trusted brands directly into inboxes. The top impersonated brands include Windows, SANS, Microsoft, Stripe, and Facebook.
From Breaking In to Logging In
The report's central thesis is a fundamental shift in how attackers operate. Instead of exploiting software vulnerabilities to break into systems, they are simply logging in with stolen credentials. Blake Darché, head of Cloudflare's threat intelligence team Cloudforce One, put it bluntly: "You don't need to be sophisticated to be successful."
Infostealers like LummaC2 have made this shift possible. These malware strains do not just harvest passwords. They extract live session tokens from infected machines, which means attackers can bypass multi factor authentication entirely. A stolen session token gives an attacker access to an already authenticated session. No password prompt. No MFA code. Just immediate access.
The data backs this up: 54% of ransomware incidents in 2025 were traced back to infostealer enabled credential theft.
$123 Million in Business Email Compromise
Business email compromise remains one of the most profitable attack vectors. Cloudflare intercepted over $123 million in BEC theft attempts during 2025. The average attempt targeted approximately $49,225, a figure deliberately calibrated to fall below the approval thresholds that would trigger additional scrutiny at most organizations.
BEC attacks are particularly effective because they exploit trust rather than technology. An attacker who has compromised an executive's email account, often through stolen credentials or session tokens, can send payment instructions that appear completely legitimate. The email comes from the right address, uses the right tone, and references real business context.
Deepfakes in the Hiring Process
The report also documents an emerging threat: North Korean operatives using AI generated deepfake profiles and fraudulent identification documents to bypass hiring filters at Western companies. Using US based "laptop farms" to mask their true locations, these state sponsored actors are embedding themselves directly into corporate payrolls.
Once inside, they have legitimate access to internal systems, code repositories, and communication channels. It is the ultimate credential based attack: instead of stealing someone's login, you get hired and receive your own.
What This Means for You
The Cloudflare report confirms what security researchers have warned about for years: passwords alone are not enough, and even MFA can be circumvented by modern infostealers. The practical takeaways are straightforward:
- Use a password manager and generate unique passwords for every service. If 46% of human logins use compromised credentials, password reuse is the single biggest risk factor.
- Enable hardware security keys where possible. FIDO2 keys are resistant to the session token theft that infostealers exploit.
- Be skeptical of email. When nearly half of all emails fail basic authentication, the "from" address means very little. Verify payment requests and sensitive instructions through a separate channel.
- Monitor your accounts. Check for unfamiliar sessions and revoke any you do not recognize.
The internet's traffic patterns tell a clear story. The majority of login attempts are not humans. Nearly half of human logins use compromised passwords. And the email infrastructure that billions of people rely on fails to verify senders almost half the time. The attackers have not gotten more sophisticated. They have just gotten better at using the credentials we keep giving them.