Stolen web cookies – small data files used to store login credentials and user preferences – have become a growing threat vector, enabling unauthorized account access and facilitating large-scale digital fraud.
According to new data from NordVPN, threat actors have obtained approximately 94 billion browser cookies over the past year, representing a 74% increase from the prior reporting period.
These cookies are frequently used to bypass login credentials by exploiting stored session data, which can remain active even after users close their browsers.
Adrianus Warmenhoven, cybersecurity expert at NordVPN, said cookies may seem harmless, but they’re a growing threat.
“Hackers use them to gain direct access to people’s accounts and information,” he said.
The report found that more than 20% of the compromised cookies were still functional, enabling attackers to access personal and enterprise accounts without triggering authentication protocols.
The compromised data came from systems in over 250 countries, with Brazil, India, Indonesia, and the US seeing particularly high volumes. Within Europe, Spain and the UK reported the highest rates of active cookie theft.
In addition to browser cookies, significant amounts of other sensitive information were also exposed. These include 18 billion user-assigned IDs, 1.2 billion session tokens, and various personal identifiers such as emails, names, and geolocation data – valuable assets for threat actors engaged in identity fraud or social engineering schemes.
NordVPN attributed the breaches to 38 known malware strains, including Redline, Vidar, and LummaC2, which collectively accounted for over 60 billion of the stolen cookies.
Emerging strains like RisePro and Rhadamanthys have been specifically engineered to evade security defences and accelerate data exfiltration.
The findings were consistent with results from Rubrik Zero Labs, which reported that 90% of security and IT professionals surveyed experienced at least one successful cyberattack in 2024. Approximately one in five faced more than 24 such incidents during the year.
According to the report, 40% of respondents increased their cybersecurity spending, while 37% experienced reputational damage. Leadership turnover followed in about a third of the organisations affected by breaches.
Most frequently cited attack vectors included malware, phishing, and cloud-based vulnerabilities.
Insider threats – particularly those involving stolen credentials – remained a concern for 28% of respondents.
