SOCLYDE logo
Current languageEN
Security deep diveSecurityIdentityThreat intelligence

Attacks don't break in anymore, they log in

Cloudflare's latest threat report shows a shift toward identity attacks, session theft, and phishing. Here's what that means for SMBs.

Illustration of identity and login attacks blocked by a secure local vault

The shift is not brute force

Cloudflare's latest Threat Report describes a clear change in attacker behavior: fewer campaigns are focused on breaking systems outright, and more are focused on impersonating legitimate users. In practice, that means more bots, more credential reuse, more stolen sessions, and more abuse of mailboxes.

Help Net Security highlighted one striking finding from the report: bots account for 94% of login attempts observed on Cloudflare's network. That is more than a headline number. It is a reminder that login has become the front line, not a routine step on the way in.

Why attacks are moving to login

Three trends reinforce each other.

  • Automated tooling can test millions of stolen credentials at high speed.
  • Attackers increasingly steal active sessions, which can bypass parts of the traditional control stack.
  • Phishing and identity spoofing still work because they exploit trust, not just technical flaws.

In that environment, a strong password is still useful, but it is no longer enough on its own.

What this means for an SMB

If your critical access depends on a cloud stack, the attack surface converges in the same place: accounts, email, sessions, and password recovery. That is exactly where attackers want to be.

The answer is not more complexity for its own sake. It is reducing the value of a single point of compromise.

What to prioritize

  • Unique, locally generated passwords.
  • Passkeys where they are available, especially for the most exposed accounts.
  • Shorter-lived sessions and monitoring for unusual sign-ins.
  • Clear separation between personal, admin, and business accounts.
  • Local-first storage for sensitive credentials so you avoid a centralized high-value vault.

Soclyde follows that model: your vaults stay on your devices, which reduces the appeal of a central target and lowers daily dependence on cloud access.

Why local-first helps

With a local-first model, attackers do not find a single cloud repository they can target for mass exfiltration. They have to focus on concrete devices, with a smaller blast radius and tighter control boundaries.

That does not make security automatic. It does reduce the value of the centralized "big vault" and puts more control back in the user's hands.

The practical question

When attacks focus on login, the real question is no longer only "is my password strong?". The better question is: "what happens if a credential is stolen?"

If you want to revisit that strategy for your team, talk to Soclyde.

Sources

We use cookies to stay compliant and measure usage.

You can decline non-essential cookies. We only run analytics after consent. Questions? contact@soclyde.com