Your IP:Unknown


Your Status: Unknown

Skip to main content

Misfortune cookie? Billions of stolen cookies expose your data

"We use cookies to give you the best online experience. They may get stolen and used in a cyberattack. Do you agree?"

hero misfortune cookie data theft

Researchers analyzed a dataset of 54 billion cookies and their listings that were available for sale on the dark web to find out how they were stolen, what security and privacy risks they pose, and what kinds of information they contain. This study is meant to shed light on how internet users endanger their accounts, money, and private information by simply accepting cookies without thinking.

The good, the bad, and the necessary: Exploring different types of internet cookies

Cookies are an integral part of how the internet works today. At their core, they are small text files that a website stores on your device. But once you start looking into it, there's much more to discover. Let's go over the most common types of cookies and their risks.

first party cookies

First-party cookies are created and stored by the website you're visiting. These cookies remember your login details, personalize the website’s content, and store your preferences, so they are considered essential for basic website functionality and user convenience.

While they're generally less intrusive than third-party cookies, first-party cookies may pose serious security risks. It is not just the personal data stored in them that's at stake. Cookies keep you logged in to sites, accounts, and services, so significant authentication data is also at stake. From session IDs to user identifiers — cookies can contain them all. If someone got their hands on these cookies, they could use them to reopen sessions and gain access to more sensitive information from your other accounts to corporate systems.

Click with caution: How are cookies stolen?

Many cybercriminals wish to steal, sell, or use cookies and the information they contain for other attacks. How do they manage to get their hands on millions of internet users' cookies? Mostly through malware — information stealers, trojans, and keyloggers. Here are the most prevalent malware types we encountered during our study:


An information stealer that shapeshifts, pretending to be a legitimate application padded with zeros to avoid antivirus detection.


An information stealer that can steal usernames and passwords, credit card details, and crypto wallets and also download other malware.


An infostealer targeting Windows operating systems, designed to steal account passwords saved in browsers, cookies, payment information, and cryptocurrency wallets.


A remote access trojan that allows cybercriminals to control the infected device remotely. It can be adapted for a number of different purposes.


Available as a $125/month subscription or $1,000 for lifetime access, this malware as a service targets crypto wallets and passwords.


Malware that targets a wide range of browsers and extensions to steal information, using system calls and other techniques to avoid detection.


An information stealer that uses YouTube to spread itself. Its efficient multi-threading helps it steal different kinds of data.


This malware, which was updated with extra anti-analysis features to help it avoid detection, is available for as little as $150. A crypto wallet module is available for $100 more.


Malware as a service with tech support. It's less stealthy because it sends data as it's collected, and it has no obfuscation techniques, but it is popular and quite effective.


A keylogger and information stealer advertised as malware as a service for $100/month. It includes modules for customization and extra features, like downloading other malware.


Malware that spreads via malvertising and spam to trick users into downloading it themselves. It uses obfuscation to avoid detection.


Malware as a service that harvests operating system and user data with specific configurations designed to target specific types of data.

infographic cookies malware

The findings: An unappetizing truth

Researchers analyzed a collection of 54 billion (54,008,833,188) cookies available on the dark web markets. Seventeen percent were active, which comes to over 9 billion cookies. Active cookies present a greater risk because they’re actively updated in real time as the user browses the internet. However, inactive cookies, even if updated a long time ago, can also contain user-related information and even be used for further attacks and manipulation.

Over half of both active and inactive cookies were stolen using Redline. However, a higher rate of active cookies were stolen through Predator-the-thief, Cryptbot, MetaStealer, and Taurus (57%, 51%, 48%, and 44% respectively). The nature of the malware used showcases the fact that both experienced cybercriminals and beginners using malware as a service were stealing data to sell it online.

Whose cookies are these?

Over 5% of all cookies in the dataset were from Google, 1.3% were from YouTube, over 1% was from Microsoft, and another 1% was from Bing.

These cookies being for sale is a huge risk to their owners — the cookies are for core email accounts that can be used to access other login details. Even though these percentages may seem miniscule, it's worth noting that 1% of the total dataset is still over 500 million cookies, which is an enormous amount of user data.

*NordVPN is not endorsed by, maintained, sponsored by, affiliated, or in any way associated with the owners of the mentioned platforms. Platforms are indicated solely for the purpose of accurately reporting information related to cookies available on the dark web markets.

Almost all of the 54 billion cookies were scraped from Windows devices (owing to the nature of the malware). However, there were over 31.5 million Apple cookies in the dataset. This shows the cracks in the system because users log in to their accounts on different devices and platforms.

The cookies in the dataset had labels for over 4,500 different operating systems. That's because of the specific nature of the OS running on different devices — many of the labels appeared to have a device- and model-specific name rather than a separate OS. This underlines the level of detail stored in cookies that could be used to re-identify individuals.

The most common OS was Windows 10 Enterprise (over 16 billion, and 30% of the total), showcasing the increased risks of businesses getting hacked.

*NordVPN is not endorsed by, maintained, sponsored by, affiliated, or in any way associated with the owners of the mentioned trademarks. Trademarks are indicated solely for the purpose of accurately reporting information related to cookies available on the dark web markets.

Half the cookies held no country data, though 95% were inactive. Of those that did have data about the user’s country, the most common were Brazil, India, Indonesia, the US, and Vietnam. If we look at Europe specifically, the most cookies came from Spain — 554M. While the UK was ranked 120th in terms of number of cookies, over half of them were active. Overall, users from 244 countries and territories were represented in the data set, underlining the wide reach of hackers and advanced malware capabilities.

infographic cookies countries

What's in the cookie jar?

Sellers assigned certain keywords to the cookies in their listings so that potential buyers could see what data they could expect to find in the cookies. The most common keywords attached to the cookies were "assigned ID” (10.5 billion), followed by "session ID" (739 million) — both can be connected to specific users. These were followed by 154M instances of the keyword "authentication" (15% active) and 37M of "login" (18% active). The latter two are particularly dangerous — many are still active, which means someone could use those cookies to log in to people's accounts.

When it comes to personal information, the cookies mostly stored a user’s name, email address, city, password, and physical address. A particular city was included in 9 million cookies, while over 2 million contained even the user's specific address. Sexual orientation, although less frequent, still appeared 500,000 times in the dataset, with a higher rate of active cookies (26%). This creates an added risk for members of the LGBTQ+ community — in some countries, having your non-traditional sexual orientation exposed could lead to severe consequences.

A cybercriminal could use the active cookies to log into someone's personal account. Information found there, together with data from the cookie files themselves, would allow them to create detailed user portfolios and perform cyberattacks against people and their workplaces.

infographic cookies keywords

The hidden risks: Beware the cookie monster

Even though internet cookies might seem like an innocuous technology to some, 54 billion of them for sale on the dark web is a huge risk to both individuals and businesses. The information they store could fuel massive attacks online and in real life.

What could happen if cookies are stolen from your device?

If a hacker gets their hands on a collection of cookies from various platforms and services, they can use them for numerous malicious activities:

What could happen to a business if cookies are stolen from their devices?

Stolen cookies generated by employee internet use could lead to a huge breach, affecting various aspects of operations, security, reputation, and legal compliance.

Attackers can use cookies to gain access to business accounts, internal systems, and databases. This access would allow them to steal sensitive corporate information, intellectual property, financial data, employee records, and customer information. If they take over a company system, hackers can lock corporate accounts until a ransom is paid. The attackers may also initiate transactions or use the business’ background to perform phishing attacks on vendors and clients.

Reputational and legal damage is another concern. If sensitive or regulated data (like medical records) is leaked, it can have severe consequences for a business, including financial loss from theft, the cost of remediation, fines for violating data protection laws (like the GDPR or CCPA), and the cost of notifying affected parties. Furthermore, businesses would likely have to deal with reputational damage; ruined trust with customers, partners, and stakeholders; and difficulty in attracting new customers or partners.

Fortify your defenses: How to protect your device’s cookies from hackers

A few new habits and general cybersecurity awareness will go a long way toward protecting cookies related either to an individual or business internet setting:

1. Use a secure connection.

Get a premium VPN and encrypt your internet connection at all times. Doing so will not only prevent cookies from being intercepted during transmission but also help hide some identifying information like your IP address, which can make it harder to link data back to you.

hero person holding nordvpn phone md svg
vulnerability detection person magnifying search md svg

2. Get additional security software.

Some VPN providers, like NordVPN, will offer additional security features that will help you avoid cookie-stealing malware. NordVPN's Threat Protection will block your access to dangerous and phishing websites and scan your downloading files for malware.

3. Refuse the cookies.

The best way to avoid theft is when there's nothing to steal. Most websites will ask for your permission to use certain cookies during your session — you can refuse many of the tracking cookies. NordVPN's Threat protection will aid you further by blocking all third-party trackers from following you around the internet and gathering data about you. And finally, you can periodically clear your cookies to remove old or potentially compromised data. This step is particularly important after using public or shared computers.

refuse cookies

My cookies? None of your business

business nordlayer protected highfive md svg

When it comes to business users' security, it's more or less the same. Use NordLayer business VPN to help protect your connections, regularly train your employees on best cybersecurity practices, and implement internal security features to minimize the likelihood of a cyberattack.


NordVPN partnered with independent researchers who compiled the dataset from Telegram channels where hackers advertise what stolen information is available for sale. The researchers analyzed whether the cookies were active or inactive, which malware was used to steal them and which country they were from as well as what data they contained — the company that generated the cookie, the user's OS, and keyword categories assigned to users.

Note: Neither NordVPN nor its research partners bought the stolen cookies and or accessed the contents of the cookies. Our partners only analyzed the data that was available in the cookie sale listings. We were very careful not to breach any privacy or security of internet users while producing this research report.

misfortune cookie banner bg xs

Press materials

Looking for assets to help you report on our research? Look no further.

Want to learn more about our digital life? Check out our other research!

Mobile privacy: What do your apps want to know?

Your Android and iOS apps need phone permissions to function — but how much data is too much? We reviewed over a hundred popular apps around the world to see just how much they really want (and need) to know about you.

Find out more

Healing or hacking? Examining the hidden cost of health apps

Health apps can help us achieve peace of mind and restore our physical health. But what role does health technology play in our digital well-being? We surveyed 12,726 users worldwide to examine the use of health management apps and the unnoticed trade-off happening in the background.

Find out more

Tip of the iceberg: 6M stolen cards analyzed

Thousands of stolen credit cards are bought and sold every day. To understand the risks posed by credit card theft, researchers analyzed a dataset of 6 million credit cards available on major dark web marketplaces — just the tip of the iceberg of credit card theft worldwide.

Find out more