Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Multi-factor authentication (MFA) has long been a cornerstone of strong account security – and it remains crucial. However, emerging attack techniques are enabling cybercriminals to bypass this once-reliable safeguard.

Infostealers, a type of malware that harvests authentication and session cookies from infected devices, have a lot to do with this growing threat.
Let’s examine how infostealers impact the effectiveness of MFA, and how organizations can utilize Twilight’s advanced account takeover (ATO) prevention solution to mitigate this risk.

How MFA works and its limitations

MFA is a security mechanism that requires users to verify their identity using two or more independent authentication factors before granting access to an account.

The most popular and safe way to do MFA is through a password and an authentication app, such as Google or Microsoft Authenticator, which generate a time-limited OTP (one-time password).

While MFA is still a very effective way of minimizing the risk of credential-based attacks, it is not infallible.

The main problem is that MFA only protects the login process. Meaning, when someone tries to log in with a password, MFA acts as an additional verification step to confirm their identity.

But what if the attacker doesn’t need to go through the login process at all? Once MFA is successfully completed, the system generates a session token or authentication cookie to keep the user logged in. If cybercriminals can get their hands on these tokens, they won’t even need to enter a password or go through the MFA challenge.

The rise of infostealers: How they bypass MFA

One of the most common ways cybercriminals obtain session tokens and authentication cookies is through infostealers.

Infostealers are a type of malware designed to extract sensitive information (including authentication data) from infected devices. They are a very popular tool in the cybercriminal ecosystem.

Infostealer logs containing credentials, session tokens, and browser-stored authentication cookies are sold in bulk, often with automated search features that allow buyers to filter for high-value targets, such as corporate accounts and privileged access credentials.

The accessibility and affordability of these logs make infostealers a preferred choice for attackers looking to bypass MFA and carry out account takeover (ATO) attacks at scale.

Popular infostealers:

There are numerous infostealer variants actively used by cybercriminals to harvest authentication data. They are usually distributed via phishing emails, malicious websites, cracked software, and underground forums.

Below are some of the most notorious infostealers operating today:

Lumma Stealer (aka LummaC2)

Lumma Stealer is a newer but rapidly growing infostealer, offering cybercriminals enhanced features for bypassing security measures. It primarily targets web browsers, extracting login data, session tokens, and cryptocurrency wallets while operating with high evasion capabilities.

Raccoon Stealer

Raccoon Stealer is a malware-as-a-service (MaaS) tool, meaning it is rented out to cybercriminals for a subscription fee. It collects stored passwords, cookies, and financial data from victims’ browsers. Despite law enforcement crackdowns, updated versions of Raccoon Stealer continue to emerge.

RedLine Stealer

One of the most widely used infostealers until recent crackdowns, RedLine targets browsers to extract login credentials, session cookies, autofill data, and even cryptocurrency wallet information. It is often distributed via malicious email attachments, fake software downloads, and compromised websites.

Twilight Cyber maintains an up-to-the-minute infostealer database generated through advanced dark-web surveillance technolgoy, allowing us to notify you immediately if your organization’s credentials, session tokens, or authentication data have been compromised by known infostealer malware.

Try it out with a free live demo.

Other ways attackers can bypass MFA

Infostealers are not the only threat to MFA-protected accounts. Here are some other popular ways attackers are bypassing MFA:

• MFA fatigue attacks

For organizations that use push notifications, MFA fatigue is a serious risk. In this attack, the user gets overwhelmed with an endless stream of authentication requests. The goal is to wear down the target until they approve a request by mistake or out of frustration, granting the attacker full access to their account.

• Adversary in the middle attacks (AiTM)

Attackers set up phishing sites that act as a proxy between the user and the legitimate service, capturing login credentials and MFA codes in real time. Once authentication is completed, they steal the session token and use it to bypass MFA entirely.

• Social engineering

Many companies have internal processes to reset MFA for users who lose access to their authentication devices. Attackers can exploit these processes by impersonating employees or customers, convincing support teams to disable MFA or reset login credentials.

The value of real-time credential and session monitoring

Abandoning MFA because of these risks is not a viable solution, as MFA is still a crucial layer of security. However, organizations must continuously monitor their authentication data to ensure it’s not being actively sold or misused on dark web marketplaces and hacker forums.

Twilight Cyber is proud to offer a best-in-class dark web monitoring service, giving our customers full visibility into compromised credentials, session tokens, and authentication data.

Our solution continuously scans dark web marketplaces, infostealer logs, and underground forums to detect leaked credentials and compromised machines before they can be exploited by attackers.

Prevent account takeovers with Twilight Cyber

Through Account Takeover (ATO) Prevention, we go beyond detection by providing real-time protection against ATO threats.

• Instant Credential Security Checks: Every login attempt undergoes real-time verification to detect compromised credentials. If a security risk is found, the system automatically triggers a password reset, preventing unauthorized access.

• Real-Time Credential Updates: Unlike traditional threat intelligence platforms that update weekly or monthly, Twilight Cyber updates compromised credential data hourly.

• Seamless Integration: Our ATO protection integrates directly into your authentication system, automatically blocking illegitimate login attempts using stolen credentials before an attacker can take over an account.

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox