As the e-commerce landscape increasingly embraces automation, retailers are facing new security challenges. The rise of AI agents that facilitate shopping tasks also opens the door for potential misuse by cybercriminals.
The upcoming Black Friday period is expected to highlight these challenges, as retailers must differentiate between legitimate AI-driven interactions and malicious automated threats.
Identity Verification Challenges Amid Automation
Both legitimate agents and malicious entities often follow similar paths for account creation and login
Verification at the account level is becoming more critical as automation grows. Both legitimate agents and malicious entities often follow similar paths for account creation and login, complicating the detection of fraudulent activities.
According to a recent assessment, 64% of retailers are vulnerable to fake account creation, and more than half lack sufficient protection against account takeover attacks.
Persistent Vulnerabilities: Real Consequences
Many vulnerabilities identified in previous assessments remain unaddressed, resulting in issues such as stolen accounts and drained gift cards. Shoppers now face additional challenges as they compete with bots for holiday deals.
Recent findings from DataDome Advanced Threat Research reveal significant security gaps in several major e-commerce platforms, making them susceptible to automated account abuse.
Findings from DataDome Research
DataDome's research, led using open-source bot frameworks, evaluated 11 major e-commerce sites
DataDome's research, conducted using open-source bot frameworks, evaluated 11 major e-commerce sites, uncovering troubling security deficiencies.
These include the widespread ease of creating fake accounts, with 64% of retailers vulnerable and 73% accepting disposable emails. Only 27% of retailers effectively block automated account creation, and 36% lack multi-factor authentication.
Login Protection Concerns
Security lapses extend to the login processes, where 82% of platforms permit automated login attempts without challenge and 64% lack account lockout measures, leaving them exposed to credential stuffing attacks.
This environment allows AI-driven attackers to operate seamlessly, posing a significant risk of large-scale account breaches.
Impacts and Risks
The financial implications can be severe, with potential losses ranging from $50,000 to $500,000 per fraudulent campaign
Fake account creation is a critical threat, especially as Black Friday approaches. Attackers use disposable emails and simple aliasing methods to generate numerous accounts, bypass purchase limits, hoard inventory, and exploit promotional offers.
The financial implications can be severe, with potential losses ranging from $50,000 to $500,000 per fraudulent campaign.
Credential Stuffing and Account Takeover Threats
Credential stuffing continues to be a covert yet impactful threat. Many retailers fail to enforce lockouts or detect bot logins, aiding attackers in scaling their credential testing efforts.
As AI agents further enhance these attacks, adapting strategies based on platform responses, successful account takeovers become more frequent and damaging.
New Threats in Agentic Commerce
The trend of credential sharing with AI agents is expected to triple account takeover incidents by 2028
The trend of credential sharing with AI agents is expected to triple account takeover incidents by 2028, according to Gartner.
This scenario demands that retailers balance user convenience with stringent control measures, allowing for safe agent interactions without inviting credential abuse.
Mitigation Measures for Black Friday
Despite these challenges, retailers have opportunities to fortify their defenses before the holiday sales begin. Key recommendations include blocking disposable emails, normalizing email configurations, implementing account lockouts, and deploying advanced bot management solutions to handle malicious traffic from AI agents.
The assessment noted that while some retailers have robust security measures, the majority are still vulnerable to automated threats. Black Friday 2025 is predicted to experience widespread fraudulent activities, yet timely action can mitigate these risks. Retailers can resolve critical vulnerabilities swiftly to protect their revenues and maintain customer trust during this peak shopping period.
As agentic commerce takes hold, retailers are entering a new phase of automation, where AI agents act on behalf of real users to browse, compare, and buy. But these same capabilities can be weaponized by fraudsters.
This Black Friday, the challenge isn’t stopping bots; it’s distinguishing between legitimate agent-driven interactions and malicious automation designed to mimic them.
Identity amid rising automation
That distinction matters most at the account layer, where retailers must verify identity amid rising automation. Legitimate agents assisting users and malicious bots probing for vulnerabilities follow similar account creation and login paths.
Against this backdrop, the 2025 assessment shows that 64% of retailers remain vulnerable to fake account creation, and more than half are exposed to account takeover attacks due to weak login protections.
Stolen accounts, drained gift cards, and real shoppers
What’s more, many of the same vulnerabilities observed last year remain unaddressed.
The result? More stolen accounts, drained gift cards, and real shoppers forced to battle bots for this year’s hottest gifts — right in the middle of the holiday rush.
Key findings of DataDome Advanced Threat Research
Using open-source bot frameworks with minimal configuration, DataDome Advanced Threat Research conducted security tests across 11 major e-commerce sites to evaluate how well these platforms protect against automated account abuse. The results show widespread vulnerabilities that leave retailers exposed.
Fake account creation remains alarmingly easy
- 64% of retailers are vulnerable to mass fake account creation
- 73% accept disposable emails, allowing attackers to spin up unlimited accounts using temporary inboxes
- Only 27% of assessed retailers implement effective bot detection that successfully blocks automated account creation
- 36% of retailers have no MFA in place, leaving account creation flows dangerously open
Login protection remains weak
- 82% allow automated login attempts without challenge
- 64% have no account lockout controls, exposing them to credential stuffing attacks
These weak points provide ideal conditions for AI-driven attackers to scale their operations without being flagged; executing targeted login attempts, spinning up fake accounts, and interacting with security flows more like humans than bots.
Implications & risks
- Mass fake account creation: Fake account creation remains the most widespread and damaging threat leading up to Black Friday. Attackers use disposable email domains and simple aliasing techniques (like Gmail’s “dot” and “plus” tricks) to generate hundreds of accounts from a single inbox. Combined with automation and now AI agents that simulate real user input, these fake accounts are created at scale and often pass verification unnoticed. Once created, these accounts are used to bypass purchase limits, hoard high-demand inventory, and repeatedly redeem promotions or referral codes. The financial damage can be substantial; retailers stand to lose $50,000 – $500,000 per campaign to fraudulent promotions and resale-driven inventory grabs.
- Credential stuffing & account takeover: Credential stuffing remains a high-impact, low-visibility threat. With 55% of retailers failing to enforce account lockout or detect bot logins, attackers can quietly test stolen credentials at scale. AI agents heighten this risk, as they adapt login attempts based on platform responses, avoiding detection and increasing takeover success rates. Once inside, fraudsters exploit stored payment data, loyalty points, and user trust.
- The new risk of credential sharing in agentic commerce: According to Gartner, 90% of organizations that allow users to share credentials with AI agents will experience three times more account takeover incidents by 2028. Yet 36% of U.S. adults already say they’re interested in letting an AI agent shop or transact on their behalf. That tension—between convenience and control—will define the next wave of fraud risk. Retailers need to decide not only how to detect stolen credentials, but how to safely enable trusted agent access without opening the door to large-scale credential abuse.
- Disposable emails to bypass MFA: With 73% accepting disposable email domains, these platforms allow attackers to fully bypass MFA protections using throwaway addresses that are easy to automate and verify. The result is a false sense of security: accounts appear protected, but in practice, they’re wide open to mass fake account creation.
Recommendations: Fast fixes before Black Friday
Retailers still have time to close the most critical gaps before traffic surges. To mitigate the above risks, retailers can take steps to enhance their security posture:
- Block disposable email domains. This single change can reduce fake account creation by up to 80-90%.
- Implement email normalization. Removing “dot” and “plus” variations from Gmail addresses can cut multi-account abuse by as much as 70%.
- Implement account lockout: After repeated failed login attempts, account lockout is essential to stop credential stuffing attacks.
- Implement the disallow directives in robots.txt and deploy a robust bot management solution to actively detect and block sophisticated, malicious traffic from AI agents.
Vulnerable to automated account abuse
The e-commerce industry shows a concerning trend: while a handful of pioneering retailers have implemented sophisticated, multi-layer defenses, the majority remain vulnerable to automated account abuse, mass fake account creation, and credential stuffing attacks.
The assessment revealed that 64% of platforms fall short of baseline protections, and 18% are so exposed they lack even the most basic safeguards.
Conclusion
Black Friday 2025 carries a high risk of widespread fraud, ranging from hundreds of thousands of fake accounts to large-scale account takeovers.
The good news is that most critical vulnerabilities can be resolved within 24 to 48 hours; retailers who act now will be in a strong position to protect revenue, preserve trust, and stay one step ahead of AI-driven threats during the year’s most important sales window.
