Password reuse continues to be one of the most significant security vulnerabilities in 2025, with alarming new data showing nearly half of all successful website logins involve previously exposed credentials. This widespread practice of recycling passwords across multiple services creates a cascading security risk that affects millions of users daily, even as awareness about online security continues to grow. Based on traffic observed between September and November 2024, approximately 41% of successful logins across websites protected by Cloudflare involve compromised passwords that were previously leaked in data breache. The data reveals a troubling pattern of successful account breaches that put both individual users and organizations at significant risk of unauthorized access, data theft, and further security compromises. Cloudflare researchers identified that the problem extends far beyond individual users, with 52% of all detected authentication requests containing leaked passwords found in their database of over 15 billion compromised records. The analysis revealed that an alarming 76% of leaked password login attempts against WordPress sites are successful, with nearly half (48%) of these successful compromises being executed by bots. Perhaps most concerning is the discovery that 95% of login attempts involving leaked passwords come from bots, indicating organized credential stuffing attacks targeting vulnerable websites. To protect against these threats, security experts recommend implementing unique passwords for each online service, enabling multi-factor authentication wherever possible, and considering more secure authentication methods like passkeys. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A sophisticated attack vector dubbed "MalDoc in PDF" allows threat actors to bypass traditional security scanning by embedding malicious Word documents into PDF files. Website administrators should activate leaked credential detection, implement rate limiting, and deploy bot management tools to minimize automated attack impacts. These automated systems systematically test thousands of username and password combinations per second, exploiting the human tendency to reuse credentials across services. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Content Management Systems, particularly WordPress websites, are experiencing disproportionate impacts from credential stuffing attacks. Due to its widespread adoption and recognizable login page format, WordPress has become a primary target for attackers exploiting compromised passwords. This massive database includes the Have I Been Pwned (HIBP) dataset and represents hundreds of millions of daily authentication requests from both humans and automated systems. This indicates that automated systems are effectively breaching WordPress installations at scale, often as the first step in more sophisticated account takeover attacks. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 16:00:35 +0000