Start with Identity
Subscribe
Breach teardown · Cross-industry

Infostealers and session hijacking: stealing the session, skipping the login

Affected: Cross-industryDisclosed: 2024-01Root cause: Stolen session cookies and tokens that bypass MFA

What happened

Across 2024 and 2025, infostealer malware (RedLine, Lumma, and successors) became one of the largest sources of identity compromise. Beyond passwords, these tools grab browser session cookies and tokens. With a stolen session cookie, an attacker imports it into their own browser and is logged in as the victim, with no password prompt and no MFA challenge, because the session is already authenticated.

Root cause

Sessions are long-lived bearer tokens. Most apps issue a cookie that stays valid for days or weeks and is not bound to the device that obtained it, so anyone who copies it inherits the session. MFA protects the login event, not the session that follows it.

The identity lesson

Stopping credential theft is not enough when the session itself is the prize. Defenders have to protect the post-authentication session, which is where ITDR and modern session controls come in. This is also why "we have MFA" is an incomplete answer to account takeover.

How to defend

  • Shorten session lifetimes and re-evaluate risk continuously rather than trusting a long-lived cookie.
  • Bind tokens to a device or client (DPoP, mutual TLS) so a copied cookie fails elsewhere.
  • Enforce device posture and managed-device checks at sensitive actions.
  • Deploy endpoint protection to stop infostealers, and use ITDR plus exposure intelligence to detect stolen-session use and credential leaks.

Related

Standards: FAPI and sender-constrained tokens. Glossary: token theft, session hijacking, infostealer. Vendors: ITDR.

Compiled from public disclosures and incident reporting; see the linked sources. Independent, community-driven analysis, not a statement of fact about any party. See the disclaimer.