Hackers steal 17 billion cookies to bypass 2FA

Hackers are finding ways to bypass two-factor authentication (2FA), a tool that many use to secure their online accounts. They have stolen about 17 billion session cookies that allow them to skip the 2FA verification process entirely. Two-factor authentication is designed to provide extra security for online accounts. Typically, even if a hacker knows your password, they cannot access your account without the 2FA code. However, attackers can now use session cookies, which confirm that a user has already completed the 2FA process. By capturing these cookies, hackers can enter the account without needing the 2FA code. A recent report from SpyCloud revealed that 17.3 billion session cookies were stolen in 2024 from devices infected with malware. These cookies include the URL of the targeted account, making it easier for hackers to hijack accounts. SpyCloud stated that stolen session cookies have become a significant tool for cybercriminals. To reduce the risk of 2FA bypass attacks, experts recommend using passkeys. Research from Google shows that passkeys can help protect against phishing and social engineering attacks. It's also important to stay alert for phishing attempts, as these tactics are often used to install malware that steals session cookies.