Cookies offer quick access to your favourite sites, but they can also leave your online presence vulnerable. This opens a window for hackers to hijack your web sessions and steal vital data. These small data files, essential for online experiences, can become targets for cyberattacks, such as session ID hijacking. 

Cookie files can store a variety of data, including browsing preferences, personal details such as phone numbers or payment information and even login credentials. 

“Web session hijacking is one of the most dangerous cyber threats, often more severe than password theft, as it can bypass strong safeguards like multi-factor authentication,” Neehar Pathare, Managing Director and Chief Executive Officer of 63SATS Cybertech, told businessline.

A notable case was the CircleCI breach in  2023, where attackers stole a two-factor authentication-protected single-sign-on session cookie from an engineer’s machine. (Single sign-on is an authentication method that lets a user log in with a single set of credentials (like a username and password) to multiple, independent software systems.) “This foothold allowed them to obtain GitHub OAuth tokens (digital keys) and escalate access, ultimately exfiltrating encryption keys, environment variables and other confidential information,” Pathare said.

A new Kaspersky report shows that 87 per cent% of randomly surveyed websites display cookie notifications, yet most users remain unaware of the serious threats posed by these small data files.

“Attackers can steal these cookies to hijack a user’s session on a website. For instance, with a session sniffing technique, attackers might intercept a user’s session ID on public Wi-Fi, or if the site uses the HTTP protocol instead of HTTPS,” the report said.

In a real-life scenario, if an attacker intercepts a user’s session ID while the user is logged into an online store, the attacker can, for instance, get the shipping address or access the user’s payment credentials if the session grants access to the account’s payment settings.

“Session ID hijacking can lead to privacy breaches, financial loss, as well as account compromise or even identity theft. The user may also face reputational damage if the attacker misuses their account to send fraudulent messages or make unauthorised posts,” Natalya Zakuskina, Senior Web Content Analyst at Kaspersky, said.

How to stay safe

Cybersecurity experts ask people to avoid browsing HTTP-based websites and never input any sensitive information on these websites, as it is easily intercepted. 

“Users should also avoid sharing sensitive or confidential information when using public Wi-Fi networks. They should opt for minimal cookie acceptance whenever possible,” Zakuskina said.

It is also advised to activate two-factor authentication, avoid clicking on suspicious links and regularly clear browser data.

Published on September 13, 2025