In January 2024, Linus Tech Tips lost a large portion of its video library and three of its YouTube channels to an attacker. The password manager was untouched. Two-factor authentication was enabled. Nobody on the team got a login alert. The attacker didn't log in; they didn't have to. They had a session cookie the victim's browser had already accepted as proof of login.
This is the reality of modern account takeover. Passwords are rarely cracked. Two-factor codes are rarely intercepted. What gets stolen is the session token, the cookie your browser holds that says "this user is already authenticated". Extract it, replay it on another browser, and you get direct access with no further checks.
What a session actually is
When you sign in to a service, the server checks your password and second factor exactly once. After that, it issues your browser a cookie, usually a long random token. On every subsequent request, your browser sends that cookie along, and the server accepts it as proof you're already logged in. This is why you don't have to re-authenticate on every page.
These tokens typically last days to weeks. Gmail accepts sessions for up to two weeks. Slack and Discord, up to a year. Some SaaS tools never expire at all. Whoever holds the token is, from the server's point of view, the legitimate user, no matter what device presents it.
The cookie lives in a database inside your browser profile, files like Cookies or Network State inside the Chrome user data folder. Any program running with your user privileges can read it. Windows encrypts some values, but it does so with the same account's DPAPI key, and the program has that.
How cookies get stolen today
The attack family is called infostealers. Programs like RedLine, Raccoon, Lumma, and Stealc are sold as a service for a few hundred dollars a month. They run for seconds on the victim's computer, vacuum up every cookie, password, autofill entry, and crypto wallet, and then exit.
The most common entry is cracked software and game cheats. Behind those are malvertising campaigns, fake installers for popular tools, and supposedly pirated programs. After infection it takes less than a minute for every scrap of browser data to be in the attacker's hands.
The stolen bundles go up for sale on marketplaces like Russian Market, Genesis, and 2easy. Buyers don't just purchase a password; they purchase a bot, a package of cookies, fingerprint, user agent, and IP history. With it, a buyer recreates your browser environment closely enough to slip past a service's risk engine.
Why your second factor doesn't help here
Two-factor authentication protects the login. Once the login succeeds, the session gets issued. The cookie tells the server "you already checked me, three days ago". The server believes it. An attacker replaying the cookie bypasses the whole authentication path, including 2FA and any biometric step.
Some providers anchor sessions to IP address or device fingerprint. That helps against obviously different devices, but not against an attacker who configures a matching fingerprint and IP. That's exactly what the marketplaces sell alongside the cookie. Your security team sees, at most, a login from your city during your working hours.
Hardware keys with FIDO2 help at login. They don't help against a cookie that has already been issued. Really critical accounts are starting to use token binding approaches (Device-Bound Session Credentials, DBSC), but those are only partially rolled out in 2026. Until then, a stolen cookie is a valid cookie.
How to spot a theft
The classic login alerts miss it when an attacker reuses your session instead of logging in fresh. The signals are subtler. Sent mail you didn't write is a strong indicator. New filters or forwarding rules you didn't create are almost always attacker artifacts. Friends receiving messages you don't remember writing is an obvious red flag.
In services that expose session management (Google, GitHub, Discord), check the active devices list. Sessions from unexpected cities, browsers, or operating systems should be revoked immediately. Then change the password, because the logout button goes through a fresh login and doesn't always invalidate every stolen session.
If you suspect an infostealer, rotating passwords isn't enough. The right order is: wipe or forensically isolate the device, change passwords from a clean machine, invalidate all sessions, rotate 2FA secrets.
Protecting sessions without becoming a hermit
The most effective step is to never let sensitive cookies exist on your main device in the first place. If you sign in through an isolated browser that's wiped at the end of the session, there's no cookie left behind on any running machine. An infostealer on your laptop finds nothing to steal.
In practice, a tiered model works well. Day-to-day logins on low-stakes sites stay in your normal browser. High-value accounts, anything that moves money, deploys code, runs ad budgets, or exposes customer data, only open in an isolated session. Changing the habit is the only thing that reliably defeats this class of attack. For the bigger picture, see How Hackers Use Your Browser History.
Ready to unlock desktop power on any device?
Try Browser.lol free and experience true mobile productivity.
Start Your Desktop BrowserNo downloads required • Works on any device
