- Research from NordVPN reveals 94 billion stolen cookies on the dark web
- Only a small percentage of these are still active
- These cookies represent serious risk for customers
New research from NordVPN has revealed cookies, the small information files generated from web servers and sent to web browsers, are being leaked and exploited on the dark web in huge numbers.
The findings calculate there to be around 94 billion cookies circulating on the dark web, with almost 42 billion of these originating from Redline, a notorious infostealer malware – although only 6.2% of these were still active, meaning they have a relatively short lifespan.
In fact, most were inactive, with only 7.2% of the 10.5 billion cookies identified from Vidar showing as valid, alongside 6.5% of LummaC2 – a newer infostealer service – which has collected a total of 8.8 billion stolen cookies. There is one outlier though, with CryptBot proving by far the most effective malware given that 83.4% of the 1.4 billion cookies stolen are still active.
What’s inside?
This isn’t the first time NordVPN has warned that cookies are being abused, with millions of stolen UK consumers internet browser cookies leaked on the dark web in 2024, although globally the total for 2024 was 54 billion – outlining an increase year-on-year.
These cookies from the dataset contained a range of different information types, with the most common keywords being “ID” (18 billion), alongside “session” (1.2 billion), “Auth” (292 million), and “login” (61 million) – this is particularly worrying, as it suggests that they could be used “hijack live sessions without a password”. The researchers warn;
“Cookies may sound sweet, but sometimes they can leave a bad taste. The truth is, even the most seemingly unimportant cookies can do a lot of damage to you or your business. Once one door is open, it isn’t that difficult to open others. Session cookies, especially active ones, are a goldmine. They let attackers skip login pages altogether.”
That’s not all though. These cookies could allow attackers to take over social media accounts, bypass two-factor authentication, launch social engineering attacks, or even access sensitive financial information.
