Nearly 93.7 billion stolen internet cookies were uncovered for sale on the dark web, many still active and posing global user risks. This major data exposure was revealed in a joint study by NordVPN and NordStellar, analyzing data from Telegram groups between April 23 and 30, 2025.
Cookies small data files stored by websites to manage login sessions and remember user preferences—have become a prime target for cybercriminals due to the vast amount of sensitive information they often contain. Analysts warn that this breach may be a precursor to a new wave of account hijackings and identity theft.
Active Session Cookies Could Allow Password-Free Account Access
The investigation revealed that out of the 93.7 billion compromised cookies, nearly 15.6 billion remain active meaning attackers could use them to log in to user’s accounts without needing passwords. These cookies include session tokens, IDs, and browser data that enable websites to recognize users.
Investigators found that keywords like ‘ID’ linked to over 18 billion cookies and ‘session’ 1.2 billion were among the most commonly associated with the stolen data, indicating direct exploitation of login credentials. Experts say this type of access could allow attackers to bypass even two-factor authentication, making traditional security measures less effective.
These stolen cookies often contained additional personal details like names, email addresses, geographic locations, and, in some cases, plaintext passwords. The data opens the door for a range of cybercrimes, including phishing campaigns, financial fraud, and full-scale identity theft.
Big Tech Platforms Among Main Targets
A significant portion of the compromised cookies originated from major tech platforms. Google services alone accounted for over 4.5 billion cookies, with YouTube and Microsoft each contributing more than 1 billion. These services are high-value targets due to their integration across devices and services, making them ideal for harvesting large volumes of user data.
The main method of cookie theft involved a variety of malware strains, with Redline identified as the most prolific infostealer. It alone was responsible for compromising nearly 42 billion cookies, outpacing other malware families such as keyloggers and trojans that were also part of the attack landscape.
The report underscores that cybercriminals are increasingly relying on browser-based data to execute attacks shifting the focus from just passwords to more silent and persistent methods of compromise.
Digital Hygiene Urged as Privacy Risks Escalate
In light of the breach, cybersecurity professionals are urging users to take better control of their digital footprint. Accepting only essential cookies, frequently clearing browser data, and using endpoint protection tools like antivirus software and VPNs are now considered vital steps in reducing exposure.
Adrianus Warmenhoven of NordVPN explained that while cookies are designed to enhance user convenience, they increasingly pose a threat when malicious actors exploit them. “These small files can serve as keys to unlock your most sensitive digital assets,” he warned.
Experts recommend Indian users especially those engaged in online banking, trading, or social media to review app permissions, enable biometric or device-based authentication, and report suspicious activity to local cybercrime units or CERT-In.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing