94% of Login Attempts Are Bots. Most of the Rest Are Using Stolen Passwords.

The 2026 Cloudflare Threat Report, published March 3rd, is built on telemetry from roughly 20% of the web, and it contains a number that reframes what "login security" actually means in 2026: 94% of all login attempts observed across Cloudflare's network in the last three months originated from bots rather than people. Of the logins that went through, 63% used credentials that had already been compromised in a breach elsewhere.

The picture those two numbers paint together is not a few bad actors testing a few passwords. It is automated credential stuffing operating as a permanent background condition of the internet, against any site with a login form.

This is not a "big company" problem.

The economics of these attacks have collapsed. Phishing-as-a-Service platforms rent the tooling by the month. Stolen credential lists trade in bulk on criminal marketplaces. Botnets probe millions of login forms in parallel, indifferent to whether the target is an enterprise or a small business. Cloudflare describes the underlying shift as the industrialization of cyber threats, and the word "industrialization" is precise. What once required an attacker's skill is now a commodity service. If your site has a login form, you are already in the queue.

Why the 63% figure carries greater significance than most appreciate

MFA is typically presented as the solution to password compromise, but it still isn't enough, according to a 2026 report. Instead, attackers use infostealer malware such as LummaC2 to steal session tokens and completely circumvent any MFA requirements. Of all the ransomware attacks reported in 2025, Cloudforce One traced the source to infostealer malware in 54% of cases. A recurring theme throughout the report is that attackers are increasingly using logging rather than hacking because it is quicker, cheaper, and harder to detect.

What the Baseline Looks Like in 2026

The new baseline for any business organization with an authentication endpoint will include several features that were considered overkill a couple of years ago. Two-factor authentication has indeed become mandatory, but it is no longer recommended to use SMS for this purpose due to SIM swapping. Rate limiting the number of logins per minute or second, locking the account after multiple login failures, and using CAPTCHA are no longer cutting-edge technology; rather, they constitute the basic hygiene practices. Auditing failed logins is crucial because reconnaissance efforts may manifest as such.

Bot management at the edge, whether via Cloudflare, another CDN with WAF capabilities, or a dedicated service, filters out 94% before it ever reaches the origin.

The gap is not technical.

Every one of these controls exists, is documented, and is available at prices that scale down to small businesses. The gap is not in technology. It is in the assumption still running quietly under most security postures: that the traffic hitting a login form is mostly legitimate, and that attackers are a minority to be filtered out. The Cloudflare data describes the opposite condition. Automated attack traffic is the baseline, and legitimate human logins are the smaller signal inside it.

A security posture that still assumes otherwise is not a posture. It is a liability waiting to be itemized.