Cloudflareがアカウント悪用防止機能を発表:ボットと人間による不正攻撃を防止
Cloudflareは、ボットと人間によるハイブリッドな不正攻撃を防ぐ「Account Abuse Protection」を早期アクセス公開し、漏洩認証情報チェックや匿名化ユーザーIDの導入により、プライバシーを損なわない不正防止を実現した。
キーポイント
ハイブリッド不正攻撃への対応
ボットと人間の組み合わせによる複雑な不正(不可能旅行など)を検知し、「自動化されているか」ではなく「認証性があるか」を問う新たな防御基準を提示。
プライバシー保護型識別子の導入
ユーザー名をドメインごとに暗号ハッシュ化して生成する「Hashed User IDs」を採用し、エンドユーザーのプライバシーを損なわずに不正パターンを追跡可能にした。
既存セキュリティ機能との統合
使い捨てメールチェック、メールリスクスコアリングを既存の漏洩認証情報チェックやBot Managementと組み合わせ、不正アカウント作成のハードルを体系的に引き上げた。
アクセス体制と提供スケジュール
Bot Management Enterprise顧客は一般提供(GA)まで無償で利用可能。Early Accessの受付を開始し、業界標準の不正防止枠組みを早期に普及させる方針。
漏洩資格情報チェック機能
プライバシーを保護する設計でパスワードのハッシュ値のみを用い、平文を取得・保存せずに既知のデータ侵害データベースと照合する無料機能。
アカウント乗っ取り(ATO)検知と自動化トラフィック対策
2024年ブラックフライデー時のログインページトラフィックの60%以上が自動化されており、ATO専用検知機能は毎日平均69億件の suspicious login attempts をキャッチし、Security analytics ダッシュボードで可視化・対策可能。
自動化から意図と身元確認へ進化する防御戦略
攻撃者は大量の資格情報漏洩、人間による不正農場、合成身元を組み合わせるため、Cloudflareは自動化の検出だけでなく「意図と身元」を確認する多層防御を提供。
影響分析・編集コメントを表示
影響分析
Cloudflareの今回の発表は、単なるボット対策を超え、人間と自動化ツールを組み合わせた「産業化された不正」への対応を標準化するものとなる。特にプライバシー保護型ハッシュIDの導入は、GDPRなどのデータ規制下でも不正防止を適用可能な実用的な枠組みを示しており、Webセキュリティ業界のベストプラクティスを更新する可能性が高い。
編集コメント
プレスリリース特有の機能羅列に注意が必要だが、プライバシー保護と不正検知を両立させる「Hashed User IDs」の設計思想は、規制強化時代のWebセキュリティ実装において参考になる。
改善版翻訳文:
攻撃者はIPアドレスを簡単に切り替えて足跡を隠せます。しかし、アカウント作成保護機能と組み合わせることで、攻撃者に新規かつ信頼性の高いアカウントを繰り返し作成させることは、大きな障壁となります。ネットワーク層を超えて、不正なアクションを特定の侵害された、あるいは悪用されたアカウントに紐付けることで、単一の持続的な攻撃者に関連する標的型の行動を特定し、不正利用を阻止できます。このようにして、私たちの防御戦略は、IPアドレスや住宅用プロキシの切り替えといういたちごっこから、アカウントレベルへと進化しています。これは、お客様がアプリケーションがアイデンティティを区別する方法に基づいて不正な行動を軽減できることを意味します。
この機能をウェブサイト所有者に提供するため、Cloudflareはハッシュ化ユーザーIDをリリースします。お客様はこれをセキュリティ分析、セキュリティルール、マネージドトランスフォームで使用できます。ハッシュ化ユーザーIDは、ドメインごとにユーザー名フィールドの値を暗号学的にハッシュ化したバージョンであり、お客様のアプリケーション上の特定のユーザー名に対して生成される、暗号化された、ユニークで安定した識別子です。重要な点として、実際のユーザー名は、このサービスの一部としてCloudflareによって記録または保存されることはありません。漏洩認証情報チェックやアカウント乗っ取り(ATO)検出と同様に、ログイントラフィックを識別し、その後比較のために認証情報を暗号化するこのアプローチにより、私たちはエンドユーザーのプライバシーを優先しつつ、お客様が不正な行動に対処できるようにしています。
ハッシュ化ユーザーIDへのアクセスにより、ウェブサイト所有者は以下のことが可能になります:
- 上位ユーザーを確認:どのアカウントが最も活動的か?
- 特定のユーザーが普段とは異なる国から、または1日に複数の国からログインしたときに確認!
- ユニークユーザーに基づいてトラフィックを軽減(例:過去に不審な活動があったユーザーをブロック)。
- フィールドを組み合わせて、アカウントが漏洩認証情報で標的にされているタイミングを確認。
- ユニークユーザーに関連付けられたネットワークパターンやシグナルを確認。

セキュリティ分析ダッシュボード内の単一のハッシュ化ユーザーIDの詳細ビュー。このユニークユーザーの活動詳細(ログイン場所やブラウザなど)を表示。
このユーザーレベルの可視性は、ウェブサイト所有者がトラフィックを調査・軽減する方法を変革します。個々のリクエストを孤立して調べる代わりに、お客様は攻撃者がどのように正当なユーザーの中に紛れ込み、標的としているかの全体像を把握できます。
アカウント保護の次のステップを今日から
この早期アクセス機能についてさらに学びたい場合は、こちらからサインアップしてください。すべてのボット管理エンタープライズのお客様は、今日からこれらの新しいアカウント不正利用防止機能を追加する資格があり、すべての将来のボット管理のお客様との対話を開始したいと考えています。
ボット検出は自動化と意図に関する問いに答え続けますが、不正検出は真正性に関する問いに深く入り込みます。これらを組み合わせることで、ウェブサイト所有者はアカウント不正利用の全範囲に対抗するための包括的なツールを手にします。このスイートは、アカウント作成とログインから安全な決済、そしてあらゆるインタラクションの完全性に至るまでの、ユーザージャーニー全体を保護するための私たちの継続的な投資における一歩です。
原文を表示
Today, Cloudflare is introducing a new suite of fraud prevention capabilities designed to stop account abuse before it starts. We've spent years empowering Cloudflare customers to protect their applications from automated attacks, but the threat landscape has evolved. The industrialization of hybrid automated-and-human abuse presents a complex security challenge to website owners. Consider, for instance, a single account that’s accessed from New York, London, and San Francisco in the same five minutes. The core question in this case is not “Is this automated?” but rather “Is this authentic?”
Website owners need the tools to stop abuse on their website, no matter who it’s coming from.
During our Birthday Week in 2024, we gifted leaked credentials detection to all customers, including everyone on a Free plan. Since then, we've added account takeover detection IDs as part of our bot management solution to help identify bots attacking your login pages.
Now, we’re combining these powerful tools with new ones. Disposable email check and email risk help you enforce security preferences for users who sign up with throwaway email addresses, a common tactic for fake account creation and promotion abuse, or whose emails are deemed risky based on email patterns and infrastructure. We’re also thrilled to introduce Hashed User IDs — per-domain identifiers generated by cryptographically hashing usernames — that give customers better insight into suspicious account activity and greater ability to mitigate potentially fraudulent traffic, without compromising end user privacy.
The new capabilities we’re announcing today go beyond automation, identifying abusive behavior and risky identities among human users and bots. Account Abuse Protection is available in Early Access, and any Bot Management Enterprise customer can use these features at no additional cost for a limited period, until the general availability of Cloudflare Fraud Prevention later this year. If you want to learn more about this Early Access capability, sign up here.
Leaked credentials make logins all too vulnerable
The barrier to entry for fraudulent behavior is dangerously low, especially with the availability of massive datasets and access to automated tools that commit account fraud at scale. Website owners aren’t just dealing with individual hackers, but industrialized fraud. Last year, we highlighted how 41% of logins across our network use leaked credentials. This number has only grown following the exposure of a database holding 16 billion records, and multiple high-profile breaches have since come to light.
What’s more, users reuse passwords across multiple platforms, meaning a single leak from years ago can still unlock a high-value retail or even a bank account today. Our leaked credential check is a free feature that checks whether a password has been leaked in a known data breach of another service or application on the Internet. This is a privacy-preserving credential checking service that helps protect our users from compromised credentials, meaning Cloudflare performs these checks without accessing or storing plaintext end user passwords. Passwords are hashed — i.e., converted into a random string of characters using a cryptographic algorithm — for the purpose of comparing them against a database of leaked credentials. If you haven’t already turned on our leaked credential check, enable it now to keep your accounts safe from easy hacks!
Access to a large database of leaked credentials is only useful if an attacker can cycle through them quickly across many sites to identify which accounts are still vulnerable due to password reuse. In our Black Friday analysis in 2024, we observed that more than 60% of traffic to login pages across our network was automated. That’s a lot of bots trying to break in.
To help customers protect their login endpoints from constant bombardment, we added account takeover (ATO)-specific detections to highlight suspicious traffic patterns. This is part of our recent focus on per-customer detections, in which we provide behavioral anomaly detection unique to each bot management customer. Today, bot management customers can see and mitigate attempted ATO attacks in their login requests directly on the Security analytics dashboard.
image
In the card on the left within the Security analytics dashboard, you can view and address attempted account takeover attacks.
In the last week, our ATO detections combined caught an average of 6.9 billion suspicious login attempts daily, across our network. These ATO detections, along with the many other detection mechanisms in our bot management solution, create a layered defense against ATO and other malicious automated attacks.
From automation to intent and identity
To discern automation, or to discern intent and identity? That is the question. Our answer: yes and yes, as both are critical layers of a robust security posture. Attackers now operate at a scale previously reserved for enterprise services: they leverage massive credential leaks, use human-powered fraud farms to spoof devices and locations, and create synthetic identities to maintain thousands — even millions — of fake accounts for promotion and platform abuse. A human being with automated tools could be draining accounts, abusing promotions, committing payment fraud, or all of the above.
Beyond that, automation is accessible like never before, particularly as users become better acquainted with using AI agents and even long-standing, “traditional” browsers move toward having agentic capabilities by default. Whether it’s a lone actor using an AI agent or a coordinated fraud campaign, the threat isn’t as simple as a single script — it can involve human intent, with automated execution.
Consider the following scenarios we’ve heard from our customers:
We have 1,000 new users this month, but more than half of them are fake identities who benefit from a free trial, then disappear.
The attacker logged in with the correct password, so how do I know that it isn’t the real user?
This entity is acting at human pace, and they are draining accounts.
These problems can't be solved by only assessing automation; they require checking for authenticity and integrity. This is the gap that our dedicated fraud prevention capabilities address.
Assessing suspicious emails
Let’s start by assessing the earliest point of potential account abuse: account creation. Fake or bulk account creation is one of the biggest topics in conversations about website fraud, as it can open the door for attackers to access an application — or even an entire business model.
Cloudflare is giving customers the tools to assess suspicious account creation at the source in two ways:
Disposable email check: Detect when users sign up with disposable, or throwaway, email addresses commonly used for promotion abuse and fake account creation. These disposable email services allow attackers to spin up thousands of "unique" accounts without maintaining real infrastructure, particularly unauthenticated disposable emails that provide instant access without account creation or free unlimited email aliases. Customers can use this binary field as they build rules to enforce security preferences, choosing to block all disposable emails outright, or perhaps issuing a challenge to anyone attempting to create an account with a disposable email.
image
Email risk: Cloudflare analyzes email patterns and infrastructure to provide risk tiers (low, medium, high) that customers can use in security rules. We know that not all email addresses are created equal; an address with the format firstname.lastname@knowndomain.com carries different risk characteristics than xk7q9m2p@newdomain.xyz. Email risk tiers allow customers to express their tolerance for risk and friction at the point of account creation.
Both disposable email check and email risk are now available in security analytics and security rules, equipping website owners to protect their account creation flow. These detections address a fundamental problem: by the time an account is committing abuse, it's already too late. The website owner has already paid acquisition costs, the fraudulent user has consumed promotional credits, and remediation requires manual review. Mitigating suspicious emails means adding the appropriate friction at signup — the moment it matters most.
Introducing Hashed User IDs
Understanding patterns of abuse requires visibility: not only into the network, but of account activity. Traditionally, security has meant looking through the lens of IPs and isolated HTTP requests to spot automated activity, but website owners aren’t just thinking in terms of network signals; they are also considering their users and known accounts. That’s why we’re expanding our mitigation toolbox to match the way applications are actually structured, focusing on user-based detection of fraudulent activity.
Attackers can effortlessly rotate IPs to hide their tracks. But forcing them to repeatedly generate new, credible accounts introduces massive friction, especially when combined with account creation protections. When we look past the network layer and map fraudulent actions to a given compromised or abusive account, we can spot targeted behavior tied to a single, persistent actor and put a stop to the abuse. In this way, we’re shifting the defense strategy to the account level, instead of playing whack-a-mole with rotating IP addresses and residential proxies. This means that our customers can mitigate abusive behavior based on the way their applications separate identity.
To arm website owners with this capability, Cloudflare is releasing a Hashed User ID that customers can use in Security analytics, Security rules, and Managed Transforms. User IDs are per-domain, cryptographically hashed versions of the values in the username field, and each user ID is an encrypted, unique, and stable identifier generated for a given username on a customer application. Importantly, the actual username is not logged or stored by Cloudflare as part of this service. As with leaked credentials check and ATO detections, which identify login traffic and then encrypt credentials for comparison, we are prioritizing end user privacy while empowering our customers to take action against fraudulent behavior.
With access to Hashed User IDs, website owners can:
See top users: Which accounts have the most activity?
See when a unique user logs in from a country they usually don’t — or multiple countries in one day!
Mitigate traffic based on unique user, such as blocking a user with historically suspicious activity.
Combine fields to see when accounts are being targeted with leaked credentials.
See what network patterns or signals are associated with unique users.
image
The expanded view of a single Hashed User ID within the Security analytics dashboard, showing the activity details of that unique user, including their login location and their browser.
This user-level visibility transforms how website owners can investigate and mitigate traffic. Instead of examining individual requests in isolation, our customers can see the full picture of how attackers are targeting and hiding among legitimate users.
Take the next step in account protection today
If you want to learn more about this Early Access capability, sign up here. All Bot Management Enterprise customers are eligible to add these new Account Abuse Protection features today, and we’d love to open the conversation with any and all prospective Bot Management customers.
While bot detections will continue to answer the question of automation and intent, fraud detections delve into the question of authenticity. Together, they give website owners comprehensive tools to fight against the full spectrum of account abuse. This suite is one step in our ongoing investment to protect the entire user journey — from account creation and login to secure checkouts and the integrity of every interaction.
関連記事
今日のまとめ
AI日報で今日の重要ニュースをまとめ読み