Cloudflare sees 94% AI login attempts

Identity is the story here. Not malware in the old sense. Not some movie-style zero-day every time. Cloudflare’s new 2026 Threat Report says attackers are increasingly winning by showing up with valid-looking access — and at huge scale, with 94% of login attempts on its network now coming from bots. That matters because login systems were built for people. Attackers are now treating them like programmable infrastructure. (blog.cloudflare.com) ### Why is the login page the real target? Because it is cheaper to impersonate a user than to smash through a perimeter. Cloudflare frames the shift pretty bluntly — brute-force intrusion is fading, and “high-trust exploitation” is taking over. In practice, that means attackers would rather use stolen credentials, hijacked sessions, and trusted SaaS pathways than burn expensive exploits. (blog.cloudflare.com) ### What does the 94% number actually mean? It does not mean 94% of successful logins were fake. It means 94% of all login attempts Cloudflare observed were automated bot traffic. That is the scale signal. The login box is being hammered mostly by software, not humans, which changes the economics of fraud, credential stuffing, and account takeover. (blog.cloudflare([blog.cloudflare.com)hose bots getting their access? A lot of the time, from old breaches. Cloudflare says 63% of all logins involved credentials that had already been compromised elsewhere. So the classic username-and-password combo is still useful to attackers, especially when users recycle passwords across services. The bot does not need to be clever if the password already works. (blog.cloudflare.com) ### Why doesn’t MFA stop this? Because the nastier version of the attack skips the password challenge entirely. Cloudflare highlights infostealers that grab live session tokens from infected machines. A session token is basically the “already proved I’m me” receipt your browser keeps after login. Steal that, and an attacker can ride an authenticated session straight pas(blog.cloudflare.com)h this itself — it described a 2023 Okta-related compromise where a hijacked session token was part of the intrusion path. (blog.cloudflare.com) ### Where does AI fit in? Mostly in speed and orchestration. Cloudflare’s point is not that every bot is some autonomous super-agent. It is that AI lowers the labor cost of linking pieces together — discovery, phishing, credential use, cloud-service abuse, and workflow automation. The barrier to running a sophisticated campaign drops when the connective tissue can be automated. (blog.cloudflare.com) ### Why are cloud apps part of the problem? Because trust has moved there. Attackers are increasingly “living off the XaaS,” using legitimate cloud and SaaS services as cover, infrastructure, or access paths. That makes detection harder. A login from a real browser, through a real identity provider, into a real SaaS app can still be malicious if the session or token behind it was stolen. (blog.cloudflare.com) ### So what are defenders supposed to change? The obvious answer is “turn on MFA,” but that is now table stakes, not the finish line. The harder fixes are around session security and blast radius — shorter-lived tokens, tighter token rotation, device binding where possible, least-privilege access in SaaS, stronger bot detection, and better hygiene around APIs and servic(blog.cloudflare.com)oks trusted,” then the defense has to verify trust continuously, not just once at the front door. (blog.cloudflare.com) ### Is this just a Cloudflare problem? No — the report’s weight comes from Cloudflare’s vantage point across roughly 20% of the web. That does not make every environment identical, but it does make the directional shift hard to dismiss. The broader message is simple: attackers are optimizing for return on effort, and identity abuse now pays better than flashy exploitation. (blog.cloudflare.com) ### Bottom line The headline number is big, but the deeper shift matters more. The attack surface is no longer just your software flaws. It is your login flows, your browser sessions, your SaaS permissions, and every trusted token moving between them. (blog.cloudflare.com)