Session Hijacking Is Maturing. What Proactive Measures Can Secure Active Sessions? | HackerNoon

Attackers aren’t just phishing for credentials; they’re automating session hijacking in ways that trusted security practices such as multi-factor authentication (MFA) cannot always protect us from.

In the same way that our advanced cybersecurity teams are creatively applying automation and AI to secure business environments, hackers look for methods to exploit data using these tools.

For example, they repurpose everyday tools, like Axios and Node-Fetch, to automate account session takeovers (ATOs). These tools are used to send and receive HTTP requests, and attackers can modify requests in real time, enabling rapid validation of stolen credentials or session cookies. Moreover, Node-Fetch allows attackers to bypass rate-limiting by distributing requests across proxies, which hackers exploit for high-volume password spraying. They also use anti-detect browsers to recreate a device’s footprint when taking over a session, to avoid more advanced forms of heuristics-based session takeover detection.

By replaying stolen session cookies or tokens, attackers bypass MFA, effectively impersonating a logged-in user without needing their credentials or MFA code. Since session tokens and cookies tell sites, “This person is already logged in,” hackers can skip the login process entirely.

Flare is seeing a 28% annual increase in exposed accounts from stolen session cookies and live session manipulation. Security teams must be aware of these rising threats and how to prevent them.

How Session Theft Is Exploding

Every month on average, over 1 million end-user accounts on social media, streaming, and e-commerce platforms are exposed, triggering millions of dollars in damages down the line.

Infostealer malware silently infects computers and systematically exfiltrates massive amounts of sensitive information such as browser-saved credentials, session cookies, browser auto-fills, browser history, files stored on the device, a screenshot of the device, and/or browser fingerprints. Threat actors then distribute these stolen data points as “stealer logs” via platforms like Telegram and the dark web, providing a constant flow of compromised data that can be leveraged in attacks.

While infostealer malware requires the victim to execute a malicious file or visit a compromised site, man-in-the-middle (MitM) attacks often exploit insecure networks or routers to intercept communication between two parties. These attacks proxy traffic to capture sensitive data, such as login credentials and MFA tokens in transit.

Hackers will also employ residential proxies and VPNs to mask their true location and IP address, making their activity appear as if it is coming from the same region or country as the legitimate user. This helps bypass geographic or IP-based security controls.

Meanwhile, anti-detect browsers help attackers mimic the legitimate user’s device profile, including user-agent strings, screen resolution, installed plugins, and other browser characteristics. With these customized browsers, their session replay appears authentic to anti-fraud systems. Hackers simply load stolen cookies into the anti-detect browser and assume many of the victim’s active sessions, accessing accounts without needing to re-authenticate and bypassing any enforced two-factor. By recreating the device fingerprint and resuming the session from a residential proxy IP located in a similar geography, many will simply assume the user has done something innocuous, like move from home to a local coffee shop—not an event that would require re-authentication in many platforms.

This Isn’t Just a Security Risk—It’s an Economic One

In 2023, Amazon disclosed that it invested over $1.2 billion and dedicated over 15,000 employees to fraud and abuse, implying over 25 million working hours per year. However, while many companies are not as big as the e-commerce giant, the costs still add up considerably.

On a per-investigation basis, assuming a $130,000–$150,000 cybersecurity professional’s salary and a 30-minute to 1-hour investigation on a single account takeover, $70 is a good baseline average labor cost. However, this figure must be multiplied by the number of annual ATOs.

Alongside labor costs, companies also risk losing customers due to negative brand reputation. Flare calculated that a streaming platform with 150 million global users, charging $20 per month ($240 per year) for its service, loses roughly $34.8 million annually based on a 1.4% median ATO exposure rate and 0.5% incident rate.

In this scenario, the implied number of customers impacted by ATO per year is 750,000. Of this, we can assume 145,000 churned users based on the likelihood of not being notified by the company (57%) and customer sentiment to blame the brand (73%). One hundred forty-five thousand churned users multiplied by an annual $240 subscription cost leads to a revenue impact of $34.8 million annually.

Add to that labor costs and fraud losses, and the streaming platform is looking at a loss of $68 million.

How Do We Stop This?

According to the 2025 Verizon DBIR, more than half (54%) of companies hit by ransom attacks had their websites listed in stealer logs on the black market. Of those, 40% had work email addresses included in the data. This means that the stolen usernames and passwords were likely used to break into these companies.

Stealer logs are highly sought after and accessible on the dark web and illicit Telegram channels. For organizations to minimize the threat of leaked details being used in ransom attacks, they must be where hackers are. They must track and monitor these sites throughout the day.

Threat exposure management tools help companies scan the clear and dark web and prominent threat actor communities 24/7 to discover unknown events. Flare, for example, tracks over 100 million stealer logs with over 1.3 million new stealer logs per week. By identifying accounts at risk of being compromised, organizations can take preventive measures against account misuse.

Other tools that help to prevent leaked credentials include:

• Password managers: Policies that encourage employees not to save their passwords in the browser eliminate a significant amount of risk.
• MFA: While certain tools can bypass MFA, it is still an added layer of security we cannot afford to skip. Stealer logs can contain session cookies, but it’s possible they would not be fresh enough to use.
• Employee training: Damaged software downloads, malicious ads, and phishing attacks are common methods for distributing infostealer malware. Employees are the first layer of defense against external risks, and providing training, especially additional training for users who fail the training, will holistically improve the organization’s defenses.
• BYOD policies: Employees saving corporate credentials in the browser of their personal computers are a major risk factor. Strict policies on employees accessing corporate resources from their personal devices would greatly help avoid infostealer malware.
• Stealer log monitoring: Make sure your continuous threat exposure management plan includes monitoring for stealer logs across the clear, deep, and dark web.

As the financial damage from cybersecurity threats continues to advance, more business leaders are asking how they can move beyond just defending themselves and start actively disrupting the attackers. By being proactive, monitoring where hackers are, and building a security-first culture among employees, companies dramatically limit the opportunity for leaked credentials to turn into malicious ATOs.