Skip to main content

Hackers are using cookies to sidestep two-factor authentication

“Cookie stealing” is among the latest trends in cybercrimes that hackers are using to bypass credentials and access private databases, according to Sophos.

Typical security advice for organizations has been to move their most sensitive information to cloud services or to use multifactor authentication (MFA) as a safety means. However, bad actors have figured out how to swipe cookies connected to login details and replicate them to hack the active or recent web sessions of programs that are not commonly refreshed.

A large monitor displaying a security hacking breach warning.
Stock Depot / Getty Images

These hackers are able to exploit several different online tools and services, including browsers, web-based applications, web services, malware-infected emails, and ZIP files.

The most insidious aspect of this style of hacking is that cookies are so widely used that they can help nefarious users access systems even if safety protocols are in place. Sophos noted that the Emotet botnet is one such cookie-stealing malware that targets data in the Google Chrome browser, such as stored logins and payment card data, despite the browser’s affinity for encryption and multifactor authentication.

On a broader scale, cybercriminals can purchase stolen cookies data, such as credentials from underground marketplaces, the publication said. The login details for an Electronic Arts game developer ended up on a marketplace called Genesis, which was reportedly purchased by the extortion group Lapsus$. The group was able to replicate EA employee login credentials and ultimately gain access to the company’s networks, stealing 780 gigabytes of data. The group collected game and graphics engine source code details that they used to try to extort EA.

Similarly, Lapsus$ hacked the databases of Nvidia in March. Reports claimed the breach might have revealed the login information of more than 70,000 employees, in addition to 1TB of data from the company, including schematics, drivers, and firmware details. However, there is no word as to whether the hack was due to cookie stealing.

Other cookie-stealing opportunities might be easy to crack if they are software-as-a-service products, such as Amazon Web Services (AWS), Azure, or Slack. These can start with hackers having basic access but tricking users into downloading malware or sharing sensitive information. Such services tend to remain open and running persistently, meaning their cookies don’t expire often enough to have their protocols to be sound security-wise.

Sophos notes that users can regularly clear their cookies to maintain a better protocol; however, that means having to reauthenticate each time.

Editors' Recommendations

Fionna Agomuoh
Fionna Agomuoh is a technology journalist with over a decade of experience writing about various consumer electronics topics…
Hacker sent to jail for huge 2020 Twitter breach
A Twitter logo graphic.

A British man who took part in a high-profile Twitter hack in 2020 was handed a five-year jail term by a New York federal court on Friday.

Joseph O’Connor, 24, had pled guilty in May to four counts of computer hacking, wire fraud, and cyberstalking. He was also ordered to pay $794,000, the amount that he nabbed in the crypto crime.

Read more
DOJ’s new NatSec Cyber unit to boost fight against state-backed hackers
A hacker typing on an Apple MacBook laptop while holding a phone. Both devices show code on their screens.

Eyeing the increasing threat of damaging cyberattacks by hackers backed by hostile foreign states, the U.S. Justice Department (DOJ) on Tuesday announced the creation of the National Security Cyber Section -- aka NatSec Cyber -- within its National Security Division (NSD).

Hackers operating out of countries like China, Russia, and North Korea seek to cause disruption across a wide range of sectors, steal government and trade secrets, spy on targets, and raise revenue via extortion. Such nefarious activities have long been a concern for those overseeing U.S. national security, and the DOJ’s new unit aims to improve the efficiency of tackling the perpetrators’ operations.

Read more
Reddit hacker demands $4.5M and a change to new API rule
The Reddit app icon on an iOS Home screen.

Ransomware group BlackCat has claimed responsibility for the cyberattack on Reddit in February and is now demanding a $4.5 million payment to prevent it from publishing 80GB of data that it claims to have stolen from the site.

But that’s not all, as the group, which is also known as ALPHV, is insisting that Reddit also reverse the API price changes that have caused so much controversy just recently.

Read more