← Back
Cloudflare
Cloudflare launches Account Abuse Protection to combat hybrid bot and human fraud attacks
Cloudflare · featuresecurityapi · blog.cloudflare.com ↗

Account Abuse Protection Now Available in Early Access

Cloudflare is expanding its security offerings with Account Abuse Protection, a new suite of fraud prevention capabilities designed to combat account abuse from both automated and human attackers. The feature combines existing tools with new detection mechanisms to help website owners identify suspicious account activity and fraudulent behavior patterns.

New Detection Capabilities

The announcement introduces several new features:

  • Disposable Email Check: Identifies and helps enforce security policies for users signing up with throwaway email addresses, a common tactic in fake account creation and promotion abuse
  • Email Risk Detection: Flags emails deemed risky based on patterns and infrastructure analysis
  • Hashed User IDs: Per-domain identifiers generated by cryptographically hashing usernames, enabling better insight into suspicious account activity without compromising user privacy

Combating the Leaked Credential Problem

The announcement highlights critical vulnerabilities in the current authentication landscape:

  • 41% of logins across Cloudflare's network use leaked credentials, with this number continuing to grow following massive data breaches (including a recent 16 billion record exposure)
  • Users frequently reuse passwords across platforms, meaning old breaches can unlock high-value accounts years later
  • Over 60% of login page traffic during Black Friday 2024 was automated, with account takeover (ATO) detections catching an average of 6.9 billion suspicious login attempts daily across the network

Cloudflare's existing leaked credential check (available free to all customers) verifies passwords against known data breaches using privacy-preserving hashing, without storing or accessing plaintext passwords.

Addressing Hybrid Threats

The platform recognizes that modern fraud threats span both automation and human-powered attacks. Attackers now operate at scale by leveraging credential leaks, using human fraud farms to spoof devices and locations, and creating synthetic identities for account abuse and platform manipulation. Account Abuse Protection moves beyond simple automation detection to identify suspicious intent and risky identities.

Availability and Pricing

Account Abuse Protection is available in Early Access, with all Bot Management Enterprise customers able to access the new features at no additional cost for a limited period until general availability of Cloudflare Fraud Prevention later in 2026. Interested customers can sign up for early access on Cloudflare's website.