At least 1.5 billion American cookies leaked: Why are they interesting to hackers?

April 3, 2024

There are more than 54 billion cookies leaked on the dark web, according to the latest research conducted by independent researchers and released by NordVPN. At least 1.5 billion of them were from the United States. While cookies are mostly known as an essential tool for browsing, many are unaware that cookies have become one of the key tools for hackers to steal data and gain access to sensitive systems.

“Thanks to the cookie consent popups, we view cookies as a necessary, albeit annoying part of being online. However, many don’t realize that if a hacker gets hold of your active cookies, they might not need to know any logins, passwords, and even MFA to overtake your accounts,” says Adrianus Warmenhoven, a cybersecurity advisor at NordVPN.

How do cookies work and what risks do stolen cookies pose?

In order to explain the underlying threat, a NordVPN expert explains how cookies work:

“Firstly, it’s important to understand that the cookie setup is necessary. There is literally no other way for a device to know which user operates it. Without cookies, the server cannot verify the user. To put it simply, once the user logs in with a password and MFA, the server gives the user a cookie. And the next time the same user comes back with this cookie, the server recognizes the cookie and knows that this user has already logged in — so there’s no need to ask for the same information again,” says Adrianus Warmenhoven.

However, if this cookie is stolen and is still active, an attacker can potentially login into your account without having your password or needing MFA.

In addition to the already mentioned session data, cookies can also hold other sensitive information, such as people’s names, location, orientation, size and so on.

What kind of cookies were found?

Out of 54 billion analyzed cookies, 17% were active. Meanwhile, out of the 1.5 billion analyzed cookies from the United States, 24% were active.

“While it may seem that 24% is not that much, it’s important to understand that it’s a huge amount of personal data — over 348 million cookies. And although active cookies present a greater risk, inactive ones still present a threat to user privacy, as well as the potential for hackers to use stored information for further abuse or manipulation,” says Adrianus Warmenhoven, a cybersecurity advisor at NordVPN.

Over 2.5B of all the cookies in the dataset were from Google, with another 692M from Youtube. Over 500M were from Microsoft and Bing.*

“Cookies from such core accounts are particularly dangerous because they may be used to access further login details through, for example, password recovery, corporate systems, or SSO,” notes Adrianus Warmenhoven.

With regards to country data, the most cookies came from Brazil, India, Indonesia, and Vietnam. The United States ranked 4th in terms of number of leaked cookies. Overall, there were 244 countries and territories represented in the cookies data set, showing the breadth of coverage of these huge malware systems.

The largest keyword category (10.5 billion) was “assigned ID,” followed by “session ID” (739 million) — these cookies are assigned or connected to specific users in order to keep sessions active or identify them on the website to provide services. These were followed by 154M authentication and 37M login cookies.

Name, email, city, password, and address were most common in the personal information category.

“If you combine all of these details with age, size, gender, or orientation, you will get a very intimate picture of the user, which can allow for well-targeted scams or attacks,” notes Adrianus Warmenhoven.

Up to 12 different types of malware were used to steal these cookies. Nearly 56% were collected by Redline, a popular infostealer and keylogger.

How to protect yourself

While there’s no magic cookie jar to keep them locked up tight, there are some digital hygiene tips that Adrianus recommends.

Firstly, he emphasizes the importance of awareness and behavior online.

“It’s a good idea to regularly delete cookies to minimize available data that can be stolen. Also, be aware of files you download and websites you visit — being vigilant can minimize your risk,” says the expert.

Using such tools as NordVPN’s Threat Protection can also help because this feature helps to block malicious sites, checks downloads for malware, and blocks trackers, better protecting the user from data gathering and theft. Dark Web Monitoring can also help alert the user in the event the data does get stolen, allowing a person to take action before further harm can be caused.

Methodology

The data was compiled in partnership with independent researchers specializing in cybersecurity incident research. The researchers used data gathered from Telegram channels where hackers advertise what stolen information is available for sale. This led to a dataset of information about over 54 billion cookies. Researchers analyzed whether the cookies were active or inactive, which malware was used to steal the cookies, which country or territory they were from, as well as what data they contained concerning the company that made the cookie, the user’s OS, and keyword categories assigned to users. NordVPN did not buy stolen cookies, and did not access the contents of the cookies and only examined what types of data was contained within them.

ABOUT NORDVPN

NordVPN is the world’s most advanced VPN service provider, used by millions of internet users worldwide. NordVPN provides double VPN encryption and Onion Over VPN and guarantees privacy with zero tracking. One of the key features of the product is Threat Protection, which blocks malicious websites, malware during downloads, trackers, and ads. NordVPN is very user friendly, offers one of the best prices on the market, and has over 6,200 servers covering 111 countries worldwide. For more information: https://nordvpn.com.

*NordVPN is not endorsed by, maintained, sponsored by, affiliated, or in any way associated with the owners of the mentioned trademarks. Trademarks are indicated solely for the purpose of accurately reporting information related to cookies available on the dark web markets.