Research
41% of Logins Use Breached Passwords
Analysis of billions of authentication requests reveals 41% of successful human logins use passwords already in breach databases. Breaches are not break-ins. They are logins.
Key Finding
Including bot traffic, 52% of all authentication requests use leaked credentials. In the first week of March 2025, the figure reached 64%.
Cloudflare's analysis of traffic across their network from September to November 2024 produced a finding that should redefine how we think about identity security: 41% of successful human logins involve passwords already present in known breach databases.
When bot traffic is included, the number rises to 52%. During a sample week in March 2025, leaked credentials appeared in 64% of all authorization requests.
This is not a theoretical risk. It means that nearly half of all "legitimate" logins are indistinguishable from credential stuffing attacks. The line between an authorized user and an attacker has effectively disappeared.
From an identity architecture perspective, this data makes a compelling case that password-based authentication, even with basic MFA, is no longer a defensible primary control. Organizations need to assume that credentials are already compromised and design their identity architecture accordingly: phishing-resistant MFA, continuous session evaluation, and anomaly detection on every authentication event.
The implication for incident response is equally stark. If half of logins use breached passwords, then "detecting compromised credentials" is not a detection problem. It is an architecture problem. You cannot detect what looks identical to normal behavior.
Need help with your identity architecture?
Every incident on this page was preventable with the right architecture. Let's talk about yours.
Book a Conversation