Account login was the highest risk stage in Canada, with a suspected digital fraud rate of 13.0%.

SpyCloud recaptured 7 million stolen credential records for third-party applications in 2024, a 48% increase from the year prior.

Only 5% of leaked password login attempts result in access being denied. 90% of these denied requests are bot-driven. The remaining 19% of login attempts fall under other outcomes, such as timeouts or users who changed their passwords

When including bot-driven traffic, 52% of all detected authentication requests contain leaked passwords.

Of the successful leaked password login attempts on WordPress sites, 48% are bot-driven. The remaining 52% of successful logins on WordPress sites originate from legitimate, non-bot users.

Based on Cloudflare's observed traffic between September - November 2024, 41% of successful logins across websites protected by Cloudflare involve compromised passwords.

76% of leaked password login attempts for websites built on WordPress are successful.

Approximately 41% of successful human authentication attempts involve leaked credentials.

95% of login attempts involving leaked passwords are coming from bots.

59% of human traffic is clean from leaked credentials against 41% with leaked passwords.