**Billions of Stolen Cookies Flood Dark Web, Exposing User Accounts and Personal Data**
A recent investigation by NordVPN and threat exposure platform NordStellar has uncovered a massive trove of stolen internet cookies—approximately 93.7 billion—available for sale on dark web marketplaces. The analysis, conducted between April 23 and April 30, 2025, examined data from Telegram channels, revealing that 15.6 billion of these cookies were still active, posing an immediate security risk.
The stolen cookies contained sensitive data, including user IDs (18 billion), session tokens (1.2 billion), names, email addresses, locations, and even passwords. Session cookies, in particular, allow attackers to hijack active user sessions, granting unauthorized access to accounts without requiring passwords. The compromised data also enables targeted phishing attacks and identity theft.
The majority of stolen cookies originated from major platforms, with Google services accounting for over 4.5 billion, followed by YouTube and Microsoft (each over 1 billion). The primary theft method involved malware, particularly infostealers like Redline, which was responsible for stealing nearly 42 billion cookies.
The findings highlight the growing threat of cookie-based attacks, where seemingly harmless browser files become tools for cybercriminals to exploit personal and corporate security.
Source: https://hackread.com/nearly-94-billion-stolen-cookies-on-dark-web/
Google TPRM report: https://www.rankiteo.com/company/google
YouTube TPRM report: https://www.rankiteo.com/company/youtube
"id": "gooyou1766548552",
"linkid": "google, youtube",
"type": "Breach",
"date": "4/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 4.5 billion cookies',
'industry': 'Internet Services',
'name': 'Google',
'size': 'Large',
'type': 'Technology'},
{'customers_affected': 'Over 1 billion cookies',
'industry': 'Video Sharing',
'name': 'YouTube',
'size': 'Large',
'type': 'Technology'},
{'customers_affected': 'Over 1 billion cookies',
'industry': 'Software',
'name': 'Microsoft',
'size': 'Large',
'type': 'Technology'}],
'attack_vector': 'Malware (Infostealers, Trojans, Keyloggers)',
'customer_advisories': 'Guidance on rejecting unnecessary cookies and using '
'security tools',
'data_breach': {'data_exfiltration': 'Yes (sold on dark web)',
'number_of_records_exposed': '93.7 billion',
'personally_identifiable_information': 'Names, email '
'addresses, countries, '
'cities, passwords',
'sensitivity_of_data': 'High (personally identifiable '
'information, session tokens)',
'type_of_data_compromised': 'Web cookies (session IDs, '
'personal data, passwords)'},
'date_detected': '2025-04-23',
'date_publicly_disclosed': '2025-04-30',
'description': 'A recent investigation reveals approximately 93.7 billion '
'stolen cookies available for sale in underground online '
'marketplaces, posing severe privacy risks. The cookies '
'contain sensitive personal data, including session IDs, '
'names, email addresses, and passwords, which can be exploited '
'for phishing attacks or identity theft. The majority of these '
'cookies were stolen using malware such as infostealers, '
'trojans, and keyloggers, with Redline being the most '
'prolific.',
'impact': {'brand_reputation_impact': 'Significant (major platforms like '
'Google, YouTube, Microsoft affected)',
'data_compromised': '93.7 billion cookies (15.6 billion active)',
'identity_theft_risk': 'High'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes'},
'investigation_status': 'Completed (analysis of stolen cookies)',
'lessons_learned': 'Web cookies, designed for convenience, can be exploited '
'as digital keys to private information. Users must adopt '
'proactive security measures to mitigate risks.',
'motivation': 'Financial gain, identity theft, phishing attacks',
'post_incident_analysis': {'corrective_actions': 'Enhanced user education on '
'cookie security, adoption '
'of anti-malware tools, and '
'VPNs',
'root_causes': 'Malware (Redline, other '
'infostealers) used to steal '
'cookies containing sensitive data'},
'recommendations': ['Reject unnecessary cookies, especially third-party '
'trackers',
'Regularly clear cookies from browsers',
'Use anti-malware software and VPNs to block malicious '
'websites and encrypt traffic'],
'references': [{'date_accessed': '2025-04-30', 'source': 'NordVPN'}],
'response': {'communication_strategy': 'Public advisory on protective '
'measures',
'third_party_assistance': 'NordVPN, NordStellar'},
'stakeholder_advisories': 'Public advisory on protective measures against '
'cookie theft',
'title': 'Widespread Data Exposure via Stolen Internet Cookies on Dark Web',
'type': 'Data Exposure',
'vulnerability_exploited': 'Stolen web cookies (session IDs, personal data)'}