Cloudflare Adds Account Abuse Protection for Fraud

Cloudflare says its new Account Abuse Protection suite is already seeing serious volume: its account takeover detections caught an average of 6.9 billion suspicious login attempts per day over the last week. That number tells you where the problem is now. Fraud is no longer just a bot problem, and it is no longer limited to noisy login scripts.

The new features aim at fake signups, leaked credentials, and user-level abuse patterns that can slip past older defenses. Cloudflare is packaging them into early access for Bot Management Enterprise customers, with general availability for its fraud prevention offering planned later this year.

Why Cloudflare is widening the target

Cloudflare’s pitch is simple: the old question, “Is this automated?” is no longer enough. Attackers now mix bots with human operators, credential dumps, disposable inboxes, proxy networks, and AI tools that make abuse cheaper and faster to run. If a login comes from New York, London, and San Francisco in five minutes, the real question is whether the account activity is authentic.

That shift matters because account abuse hits the business at different points. Fake signups burn acquisition spend. Leaked credentials unlock real customer accounts. Promotion abuse drains incentives. Payment fraud can follow once an attacker has a trusted identity. Cloudflare’s answer is to add checks earlier in the flow and to connect those checks to the account itself rather than only to IP addresses.

The company also pointed to the scale of credential abuse across its network. Last year, Cloudflare said 41% of logins across its network used leaked credentials. In its Black Friday analysis for 2024, it found that more than 60% of traffic to login pages was automated. Those are not edge cases. They are the baseline.

• 41% of logins across Cloudflare’s network used leaked credentials last year.
• More than 60% of login-page traffic was automated in Cloudflare’s 2024 Black Friday analysis.
• 6.9 billion suspicious login attempts were caught daily by ATO detections in the last week.
• Cloudflare says a database with 16 billion records has increased pressure on password reuse.

What the new fraud tools actually do

The first two additions focus on signup abuse. Disposable email check detects throwaway addresses that are often used for fake account creation and trial abuse. Email risk scores addresses into low, medium, and high risk tiers based on patterns and infrastructure signals.

That may sound small, but it changes where a site can apply friction. A team can block disposable email domains, challenge suspicious signups, or route high-risk registrations into review. The key point is timing. If a fake user gets through signup, the site has already paid for acquisition, onboarding, and perhaps a trial credit or promo code.

Cloudflare is also rolling out Hashed User IDs, which are per-domain identifiers created by cryptographically hashing usernames. Cloudflare says it does not log or store the plaintext username as part of the service. That matters because the feature is meant to help teams reason about user-level behavior without turning the product into a privacy mess.

• Disposable email check gives a binary signal for throwaway addresses.
• Email risk returns three tiers: low, medium, and high.
• Hashed User IDs are stable per domain and derived from usernames.
• Cloudflare says plaintext usernames are not logged or stored for this feature.

What Cloudflare is building on top of

This launch does not start from zero. In 2024, Cloudflare gave all customers leaked credential detection during Birthday Week, including those on the Free plan. It also added account takeover detection IDs as part of its bot management stack. The new account abuse suite ties those pieces together and adds user-level visibility on top.

Cloudflare’s own framing is telling. The company says attackers can rotate IPs easily, but forcing them to create credible accounts repeatedly adds friction. That is a smart move because IP reputation alone has been getting weaker for years. Residential proxies, mobile networks, and AI-assisted workflows make network-only defenses easier to sidestep.

For teams running consumer apps, marketplaces, fintech products, or any service with signups and logins, the practical difference is that abuse can be tracked by identity, not only by source address. That gives security teams a better shot at linking repeated bad behavior to one actor, even when the network trail keeps changing.

“The core question in this case is not ‘Is this automated?’ but rather ‘Is this authentic?’” — Jin-Hee Lee, Cloudflare, in the announcement of Account Abuse Protection

How it compares with older account defenses

Traditional bot protection is good at spotting obvious automation. It gets weaker when abuse looks human, or when a human is driving automation. Cloudflare’s new stack is aimed at that middle zone, where the attacker may be using leaked credentials, disposable email services, and proxy rotation in the same session.

Here is the practical comparison:

• IP-only blocking: useful for noisy attacks, but weak against proxy rotation and residential networks.
• Credential checks: useful for reused passwords, but they do not tell you whether a signup is fake or risky.
• Signup risk scoring: useful for stopping bad accounts early, especially when free trials and promo abuse are involved.
• User-level identifiers: useful for connecting suspicious activity across sessions and locations without storing plaintext usernames.

The comparison matters because fraud teams rarely get one clean signal. They get a mix of login anomalies, signup patterns, location drift, and account behavior. Cloudflare is trying to make those signals line up in one place: the Security analytics dashboard, Security rules, and Managed Transforms.

There is also a business angle here. If your product gives away credits, trials, or referral bonuses, then fake accounts are not a theoretical risk. They are a direct cost center. Cloudflare’s data suggests the scale is already large enough that teams need more than manual review and a few heuristic rules.

What this means for security teams

Cloudflare’s early access release is aimed at Bot Management Enterprise customers at no extra cost for a limited period. That makes this feel less like a standalone feature drop and more like a test bed for its broader fraud prevention push. The company says general availability for Cloudflare Fraud Prevention will arrive later this year.

If you run an app with signups, this is the kind of update worth measuring against your own numbers. How many of your signups come from disposable inboxes? How often do the same accounts log in from different countries in a day? How much of your login traffic is automated before it even reaches your app logic?

Cloudflare is betting that the answer to those questions should live in the security stack, not in a spreadsheet after the damage is done. My take: the next wave of account defense will look less like bot filtering and more like identity fraud analysis. If Cloudflare’s metrics hold up for customers, the teams that win will be the ones that start treating signup risk and login authenticity as product metrics, not just security alerts.

The immediate takeaway is straightforward: if your app depends on accounts, check whether you can already block disposable emails, score risky addresses, and correlate activity by user rather than by IP. If you cannot, this release is a good reminder that your current fraud controls may be one step behind the people attacking them.