Armed with millions of common usernames and passwords, the bad bots are being distributed across the internet with the goal of compromising email accounts -- particularly those accessible via vulnerable application programming interfaces (APIs) -- by repeatedly trying different combinations of usernames and passwords until they find one that works, the report said.