Password reuse is rampant: nearly half of observed user logins are compromised

Of the successful leaked password login attempts on WordPress sites, 48% are bot-driven. The remaining 52% of successful logins on WordPress sites originate from legitimate, non-bot users.

59% of human traffic is clean from leaked credentials against 41% with leaked passwords.

Only 5% of leaked password login attempts result in access being denied. 90% of these denied requests are bot-driven. The remaining 19% of login attempts fall under other outcomes, such as timeouts or users who changed their passwords

When including bot-driven traffic, 52% of all detected authentication requests contain leaked passwords.

95% of login attempts involving leaked passwords are coming from bots.

Based on Cloudflare's observed traffic between September - November 2024, 41% of successful logins across websites protected by Cloudflare involve compromised passwords.

76% of leaked password login attempts for websites built on WordPress are successful.

Approximately 41% of successful human authentication attempts involve leaked credentials.