·
Misfortune cookie? Stolen internet cookies expose your data
"We use cookies to give you the best online experience. They may get stolen and used in a cyberattack. Do you agree?"
Researchers analyzed a dataset of 54 billion cookies and their listings that were available for sale on the dark web to find out how they were stolen, what security and privacy risks they pose, and what kinds of information they contain. This study is meant to shed light on how internet users endanger their accounts, money, and private information by simply accepting cookies without thinking.
The good, the bad, and the necessary: Exploring different types of internet cookies
Cookies are an integral part of how the internet works today. At their core, they are small text files that a website stores on your device. But once you start looking into it, there's much more to discover. Let's go over the most common types of cookies and their risks.
First-party cookies are created and stored by the website you're visiting. These cookies remember your login details, personalize the website’s content, and store your preferences, so they are considered essential for basic website functionality and user convenience.
While they're generally less intrusive than third-party cookies, first-party cookies may pose serious security risks. It is not just the personal data stored in them that's at stake. Cookies keep you logged in to sites, accounts, and services, so significant authentication data is also at stake. From session IDs to user identifiers — cookies can contain them all. If someone got their hands on these cookies, they could use them to reopen sessions and gain access to more sensitive information from your other accounts to corporate systems.
The findings: An unappetizing truth
Researchers analyzed a collection of 54 billion (54,008,833,188) cookies available on the dark web markets. Seventeen percent were active, which comes to over 9 billion cookies. Active cookies present a greater risk because they’re actively updated in real time as the user browses the internet. However, inactive cookies, even if updated a long time ago, can also contain user-related information and even be used for further attacks and manipulation.
Over half of both active and inactive cookies were stolen using Redline. However, a higher rate of active cookies were stolen through Predator-the-thief, Cryptbot, MetaStealer, and Taurus (57%, 51%, 48%, and 44% respectively). The nature of the malware used showcases the fact that both experienced cybercriminals and beginners using malware as a service were stealing data to sell it online.
Whose cookies are these?
Platforms
Over 5% of all cookies in the dataset were from Google, 1.3% were from YouTube, over 1% was from Microsoft, and another 1% was from Bing.
These cookies being for sale is a huge risk to their owners — the cookies are for core email accounts that can be used to access other login details. Even though these percentages may seem miniscule, it's worth noting that 1% of the total dataset is still over 500 million cookies, which is an enormous amount of user data.
*NordVPN is not endorsed by, maintained, sponsored by, affiliated, or in any way associated with the owners of the mentioned platforms. Platforms are indicated solely for the purpose of accurately reporting information related to cookies available on the dark web markets.
Devices
Almost all of the 54 billion cookies were scraped from Windows devices (owing to the nature of the malware). However, there were over 31.5 million Apple cookies in the dataset. This shows the cracks in the system because users log in to their accounts on different devices and platforms.
The cookies in the dataset had labels for over 4,500 different operating systems. That's because of the specific nature of the OS running on different devices — many of the labels appeared to have a device- and model-specific name rather than a separate OS. This underlines the level of detail stored in cookies that could be used to re-identify individuals.
The most common OS was Windows 10 Enterprise (over 16 billion, and 30% of the total), showcasing the increased risks of businesses getting hacked.
*NordVPN is not endorsed by, maintained, sponsored by, affiliated, or in any way associated with the owners of the mentioned trademarks. Trademarks are indicated solely for the purpose of accurately reporting information related to cookies available on the dark web markets.
Countries
Half the cookies held no country data, though 95% were inactive. Of those that did have data about the user’s country, the most common were Brazil, India, Indonesia, the US, and Vietnam. If we look at Europe specifically, the most cookies came from Spain — 554M. While the UK was ranked 120th in terms of number of cookies, over half of them were active. Overall, users from 244 countries and territories were represented in the data set, underlining the wide reach of hackers and advanced malware capabilities.
Method
NordVPN partnered with independent researchers who compiled the dataset from Telegram channels where hackers advertise what stolen information is available for sale. The researchers analyzed whether the cookies were active or inactive, which malware was used to steal them and which country they were from as well as what data they contained — the company that generated the cookie, the user's OS, and keyword categories assigned to users.
Note: Neither NordVPN nor its research partners bought the stolen cookies and or accessed the contents of the cookies. Our partners only analyzed the data that was available in the cookie sale listings. We were very careful not to breach any privacy or security of internet users while producing this research report.
Press materials
Looking for assets to help you report on our research? Look no further.
Want to learn more about our digital life? Check out our other research!
Mobile privacy: What do your apps want to know?
Your Android and iOS apps need phone permissions to function — but how much data is too much? We reviewed over a hundred popular apps around the world to see just how much they really want (and need) to know about you.
Healing or hacking? Examining the hidden cost of health apps
Health apps can help us achieve peace of mind and restore our physical health. But what role does health technology play in our digital well-being? We surveyed 12,726 users worldwide to examine the use of health management apps and the unnoticed trade-off happening in the background.
Tip of the iceberg: 6M stolen cards analyzed
Thousands of stolen credit cards are bought and sold every day. To understand the risks posed by credit card theft, researchers analyzed a dataset of 6 million credit cards available on major dark web marketplaces — just the tip of the iceberg of credit card theft worldwide.