Sticky fingers in the cookie jar: Research reveals the risks of web cookies

A bite into internet cookies

You’ve seen the pop-ups. They’re on nearly every site you visit. Web cookies, or simply cookies, have become such a fundamental part of our browsing routine that we barely think twice before clicking “Accept all.”

Cookies are small text files stored on your device by websites you visit. They contain information about your browsing activity and preferences and help websites remember details between sessions. Cookies make the browsing experience more convenient and personalized. For example, they can keep you logged in or remember what’s in your shopping cart even if you leave the site and come back later. However, cookies can also track your activity for advertising purposes, which is why some people worry about their privacy.

Like cookies in a bakery, internet cookies come in many flavors, too:

• First-party cookies are created and stored by the website you're currently visiting. They are used to remember login credentials, user preferences, and settings on that specific site. For example, when you log in to a site, first-party cookies might store your username so you don't have to re-enter it on your next visit. First-party cookies are usually seen as less intrusive, but they can still pose serious risks, especially when they store sensitive data like session IDs or logins that, if stolen, could give attackers access to personal accounts or even corporate networks.
• Third-party cookies are stored on your device by another website and not the one you are visiting. For example, advertisers or analytics providers might set these cookies for targeted advertising and behavioral tracking. Third-party cookies track your activity across different websites, such as which links you click on and what products you look at.
• Super cookies are tracking mechanisms that are much harder to detect and remove. Unlike standard cookies, which are stored on your browser and can be easily cleared, these ones hide in sneakier spots, like Flash local storage or HTML5 local storage, or even use techniques like ETags or HSTS to stay around. Some super cookies are even added by internet providers, who place special identifiers into your internet traffic to track you across every site you visit. Because they’re stored in unusual places or added through network-layer manipulation, super cookies can reappear even after you clear cookies on a browser, which makes them a serious security risk.
• Zombie cookies “come back from the dead” even after you delete them. They’re often recreated automatically using backup copies stored outside normal cookie storage, making zombie cookies nearly impossible to remove and a serious privacy threat.

The research reveals the not-so-sweet side of web cookies

Most cookies are harmless. But in the wrong hands, even the smallest crumb can reveal a whole digital trail, so accepting web cookies blindly can be a risky habit. And our newest research reveals just how risky. As a follow-up to last year’s research on web cookies, we again partnered with researchers from NordStellar, a threat exposure management platform, who analyzed another set of over 93.7 billion cookies offered for sale on dark web forums and Telegram marketplaces. The researchers looked at where they came from, what they contained, whether they were active, and how cybercriminals use them.

It’s important to note that neither NordVPN nor its research partners purchased the stolen cookies and/or accessed the content inside. Our partners only analyzed the data that was available in the cookie sale listings, ensuring we maintained the privacy and security of internet users while producing this research report.

How web cookies get snatched

Cybercriminals don’t need an oven to bake the cookies. They steal them using malware. In our study, researchers found that nearly all were harvested by infostealers, trojans, and keyloggers. These categories of malware are designed specifically to collect login data, cookies, saved browser passwords, and crypto wallets. Here are some of the most common tools behind the stolen web cookies in our research:

• Redline is one of the most widely used keyloggers and infostealers, advertised as malware as a service. Redline Stealer is responsible for the biggest chunk of stolen cookies in our dataset — almost 42 billion cookies. However, only 6.2% were still active, meaning the lifespan of stolen data is relatively short.
• Vidar is also a malware as a service with specific configurations designed to target specific types of data. It collected around 10.5 billion cookies, with 7.2% of them still valid.
• LummaC2 is a stealer offered as a service to cybercriminals. It’s newer but growing fast in use. It was responsible for over 8.8 billion stolen cookies, with 6.5% still active.
• CryptBot is an infostealer mainly targeting Windows operating systems. While it accounted for only 1.4 billion cookies, 83.4% of them were still active, making CryptBot the most effective malware on our list.

These malware tools are easy to use and widely available, making them accessible to almost anyone. They often hide in pirated software or seemingly harmless downloads. Once installed, they scan the browser’s cookie storage and send everything to a command-and-control server. From there, the data might be listed on the dark web, sometimes within minutes.

What is inside the cookie jar?

So what do these cookies actually hold? Plenty. When cybercriminals sell stolen cookies, they often tag them with keywords to show what kind of data they’re getting. Some of the most common keywords were "ID” (18 billion), followed by "session" (1.2 billion). A significant number of stolen cookies were labelled with “auth” (272.9 million) and “login” (61.2 million) keywords. These tags suggest the cookies are linked to specific user accounts, meaning they could be reused to hijack live sessions without a password. It’s particularly worrying, considering that out of the 93.7 billion stolen cookies analyzed, 15.6 billion were still active.

But it’s not just account access that’s at stake. Some of these cookies also hold personal information, like a user’s name, e-mail address, country, and city, as well as gender, birthday, or even physical address. These details are just as dangerous because they could allow threat actors to build personalised social engineering attacks, in the worst case, steal the users’ identities. And when details like your location or birthday are out there, it’s not just a privacy risk, but a personal safety threat, too.

Where did the cookies come from?

Researchers also looked more closely at where the stolen cookies came from by analyzing three main factors: the platform from which they were scraped, the country of origin, and the operating system.

Platforms

On the platform side, big names unsurprisingly dominate. Cookies associated with Google services made up the biggest part of the dataset — more than 4.5 billion cookies linked to Gmail, Google Drive, and other Google services. YouTube and Microsoft each accounted for over 1 billion cookies. 

Popular platforms make for tasty targets because you can scrape more information off of them. Plus, Google and Microsoft accounts are often used for multi-factor authentication. Stealing a Google or Microsoft session cookie could give cybercriminals access to email, files, calendars, and even linked accounts, with no need to guess passwords or trigger two-factor authentication.

Countries

Cookies can get stolen all over the world, and the numbers show it. While many of the stolen cookies didn’t include data about the user’s country, those that did were linked to at least 253 different countries and territories. Some cookie listings were marked “unknown,” so the true number may be even higher.

Brazil, India, Indonesia, and the United States were among the most impacted. In Europe, Spain topped the list with 1.75 billion stolen cookies, while the UK, despite only accounting for about 800 million cookies, had a high rate of active cookies, 8.3%.

Devices

Most of the cookies were scraped from Windows devices, which comes as no surprise, since most malware targets Windows. However, over 13.2 billion cookies were scraped from other operating systems, or their source is unknown. So while Windows users are still the biggest targets, users on other systems shouldn’t feel completely safe — attacks on other platforms do happen.

What can an attacker do with your web cookies?

Cookies may sound sweet, but sometimes they can leave a bad taste. The truth is, even the most seemingly unimportant cookies can do a lot of damage to you or your business. Once one door is open, it isn’t that difficult to open others. Session cookies, especially active ones, are a goldmine. They let attackers skip login pages altogether. But the risks don’t stop there. Stolen cookies can also be used to:

• Take over your social media, email, or online shopping accounts.
• Impersonate you online by using saved logins or autofill information.
• Bypass two-factor authentication if the cookie marks a “trusted” device.
• Launch targeted phishing attacks using your personal information.
• Move laterally across the network, especially in companies using cookie-based SSO (single sign-on).
• Access financial or customer data, and other sensitive information.
• Help deploy ransomware attacks by stealing login credentials or accessing higher-level system permissions.

How to lock the cookie jar

Protecting yourself from cookie theft doesn’t mean you have to give up the internet altogether, but it does require changing a few habits:

• Think twice before accepting the cookies. The first step towards making yourself safer is understanding that not all cookies are necessary, and just because you can accept all cookies, doesn’t mean you have to. Whenever possible, reject unnecessary cookies, especially third-party ones or those tracking your behaviour. Most websites still function fine without them.
• Get additional security tools. Malware, including infostealers, often enters your computer through downloads or phishing links. Tools like Threat Protection Pro™ can block malicious websites and scan downloads for malware before they enter your computer.
• Clear your cookies regularly. Not all cookies are worth keeping — toss the stale ones. Make it a habit, especially after logging in on public or shared computers. This step may seem minor, but it helps reduce the window of time during which your data can be hijacked.
• Use a safer connection. Start by avoiding public Wi-Fi networks or unencrypted connections. Get a VPN that will encrypt your internet traffic, making it more secure from eavesdroppers.