94 Billion Stolen Browser Tracking Cookies Published To Dark Web

Forbes

27-05-2025

Billions of leaked browser tracking cookies are available on the dark web.
Although you would be right to be concerned about the number of compromised credentials that have been published to the dark web, some 19 billion passwords alone, there's more to worry about than just the stolen password problem. Even as the FBI is recognized for having success as part of Operation RapTor, disrupting dark web marketplaces, and Microsoft's Digital Crimes Unit likewise for disrupting the Lumma Stealer password-compromising malware infrastructure, so the true scope of shadowy criminal hacker resource forums emerges. The latest research has confirmed the truly staggering number of stolen browser tracking cookies that have been published on the dark web, all 94 billion, along with the hacking threats that accompany them. Here's what you need to know.
Nord Security's Aurelija Skebaite has revealed in a May 27 report how threat exposure researchers at NordStellar analyzed 93.7 stolen browser cookies found on the dark web. While most cookies can be thought of as harmless enough, in the overall scheme of life on the internet, once they get into the wrong hands, all bets are off. 'Even the smallest crumb can reveal a whole digital trail,' Skebaite warned, 'so accepting web cookies blindly can be a risky habit.' The newly published research reveals just how risky.
The research revealed what NordVPN has called a massive malware operation. The total of 94 billion cookies stolen is bad enough, a 74% increase from the 2024 report totals from the same researchers, but more than 20% of them are currently active and pose a threat to user privacy and security, which is even worse. There are some 18 billion assigned IDs and 1.2 billion session IDs exposed, critical data types when it comes to identifying users and securing their online accounts.
'The stolen information often included full names, email addresses, cities, passwords, and physical addresses,' Skebaite said, 'key personal data that can be used for identity theft, fraud, and unauthorized account access.' Digging into the data, the researchers found that there were more than 4.5 billion cookies associated with Gmail, Google Drive and assorted Google services, with YouTube and Microsoft also accounting for more than a billion cookies each. 'Popular platforms make for tasty targets because you can scrape more information off of them,' Skebaite explained. Here's the kicker, though, using stolen session cookies could give hackers access to email, files, calendars, and accounts, 'with no need to guess passwords or trigger two-factor authentication.'
Several mitigations can be considered, including blocking cookies and not accepting them initially. Rejecting unnecessary cookies is always a good move, and third-party ones that track you, especially so. You can always reject them, and if it impacts your use of a website, then you have the option to go back and accept. Whatever, I would recommend clearing your browser cookie cache, along with your browsing history, on a regular basis. If nothing else, as Skebaite said, 'it helps reduce the window of time during which your data can be hijacked.'