2FA Code Warning As Hackers Steal 17 Billion Cookies To Use In Attacks

Forbes - Mar 19th, 2025

Hackers have found a way to bypass two-factor authentication (2FA) by exploiting stolen session cookies, as highlighted in SpyCloud's newly published 2025 identity exposure report. The report reveals that 17.3 billion session cookies were stolen in 2024 from malware-infected devices. These session cookies, which indicate a completed 2FA verification, allow attackers to hijack accounts without needing the actual 2FA code. By using attacker-in-the-middle techniques, cybercriminals can capture these cookies and rerun authorized sessions at their leisure, posing a significant threat to account security.

The implications of this development are significant, as it underscores the vulnerability of current authentication measures and the growing sophistication of cyber threats. Despite the widespread recommendation to use 2FA for enhanced security, the ability to bypass it using session cookies highlights the need for additional protective measures. Experts suggest using passkeys and being vigilant against phishing attacks, which often serve as a gateway for installing infostealer malware. This evolving threat landscape demands continuous attention to cybersecurity practices to mitigate the risks posed by these advanced hacking techniques.

Cybersecurity Phishing Infostealer Malware Two Factor Authentication Passkeys Session Cookies Spy Cloud Account Hijacking

Story submitted by Fairstory

RATING

6.0

Moderately Fair

Read with skepticism

The article provides a timely and relevant discussion on cybersecurity threats, specifically focusing on the vulnerabilities of two-factor authentication (2FA) and the risks associated with session cookie theft. It effectively raises awareness about these issues and offers practical advice for mitigation, making it a valuable resource for readers concerned about online security.

While the article is mostly accurate and clear in its presentation, it would benefit from more explicit sourcing and verification of the statistical claims made. The balance could be improved by including more perspectives on the advancements in cybersecurity measures and the broader implications of these threats.

Overall, the article succeeds in engaging readers and providing useful information on a pressing issue, but it could enhance its impact and credibility by incorporating a wider range of sources and expert opinions.

Accuracy

The story presents a number of factual claims regarding cybersecurity threats, particularly focusing on the vulnerability of two-factor authentication (2FA) to session cookie theft. The claim that hackers can bypass 2FA using stolen session cookies aligns with current cybersecurity knowledge, where session hijacking through man-in-the-middle attacks is a recognized threat. However, the story's assertion that 17.3 billion session cookies were stolen in 2024 according to SpyCloud's report requires verification, as such specific figures demand corroboration from reliable sources.

The article suggests that 50% of users reuse passwords across multiple sites, a statistic that, while plausible, should be backed by recent studies or surveys to ensure its accuracy. The piece also discusses the effectiveness of passkeys in reducing phishing attacks, attributing this to Google's internal research. While this claim is credible given Google's expertise in cybersecurity, specific data or a direct reference to the research would strengthen the story's accuracy.

Overall, the article is mostly accurate in its depiction of cybersecurity threats and mitigation strategies, but it would benefit from more explicit sourcing and verification of the statistical claims made.

Balance

The article primarily focuses on the threats posed by hackers and the vulnerabilities of current authentication systems, particularly 2FA. While it effectively highlights the risks and the innovative methods hackers use, it could offer a more balanced perspective by discussing the advancements and successes in cybersecurity measures that counteract such threats.

The narrative strongly leans towards emphasizing the dangers and potential failures of security systems without equally highlighting the efforts and innovations in cybersecurity that have been effective. Including viewpoints from cybersecurity experts or industry leaders on how these threats are being mitigated could provide a more rounded view.

Additionally, the article could explore different perspectives on the implications of session cookie theft, such as the legal and ethical considerations or the role of user education in preventing such attacks.

Clarity

The article is written in a clear and engaging manner, effectively explaining complex cybersecurity concepts such as 2FA, session cookies, and man-in-the-middle attacks. The use of analogies, such as comparing 2FA to a nightclub doorman, helps to simplify and convey technical information to a general audience.

The structure of the article is logical, with a clear progression from identifying the threat to explaining how it works and then discussing potential mitigation strategies. This logical flow aids in reader comprehension and keeps the narrative engaging.

However, the article could benefit from clearer delineation between verified facts and speculative or opinion-based statements. While the tone is generally neutral, some phrases, such as "you’re screwed," may detract from the professional tone expected in a news article.

Source quality

The article cites SpyCloud's 2025 identity exposure report as a primary source for the claim about stolen session cookies, which suggests reliance on a credible cybersecurity firm. However, the lack of direct links or access to the report limits the ability to verify the information independently.

The mention of Google's internal research on passkeys adds some credibility, but without specific references or quotes from Google's findings, the claim remains somewhat unsubstantiated. The article would benefit from a broader range of sources, including cybersecurity experts, academic research, or government reports, to enhance its reliability.

Overall, while the sources mentioned are potentially credible, the article does not provide enough direct evidence or variety in sourcing to fully substantiate its claims.

Transparency

The article lacks transparency in its sourcing and methodology. It makes several claims about cybersecurity threats and statistics without providing direct access to the sources or detailed explanations of how these conclusions were reached.

For instance, the claim about the number of stolen session cookies would benefit from a clear reference to the specific section of the SpyCloud report where this data is presented. Similarly, the mention of Google's internal research on passkeys lacks transparency, as it does not specify the nature of the research or its findings in detail.

In terms of conflict of interest, the article does not disclose any potential biases or affiliations that might influence its content. Providing more context about the sources and the basis for the claims would improve the article's transparency.