Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Cybercriminals have amassed a trove of 94 billion stolen browser cookies, turning these tiny files into keys for unauthorized access. Over 20% of the stolen cookies are still active, leaving millions of accounts vulnerable to hijacking.

A Record-Breaking Leak of Browser Cookies

In May 2025, researchers uncovered an unprecedented leak of nearly 94 billion web browser cookies circulating on the dark web. The discovery highlights a massive malware-driven operation fueling a bustling underground market for stolen session data. 

The dataset of cookies was harvested by at least 38 different infostealing malware strains and peddled across hacker forums and Telegram channels. To put the scale in perspective, this represents a 74% surge in cookie theft from the prior year, signalling an alarming growth in this criminal economy.

What exactly leaked? 

These stolen cookies include the session tokens, login credentials, and tracking IDs that websites use to remember users. According to the analysis, session ID cookies and assigned user IDs (core data that websites rely on to keep you logged in) were among the most commonly stolen.

In many cases, personal details were exposed alongside (names, emails, even passwords), compounding the risk. The sheer volume and variety of stolen cookies make it clear this wasn’t a single breach, but rather the aggregate output of widespread malware infections siphoning data from millions of devices.

Who uncovered it and how? 

The investigation was led by researchers, who monitor dark web marketplaces and Telegram leak channels for infostealer data dumps. 

They traced the trove back to well-known malware families: the infamously prolific RedLine Stealer alone accounted for ~41.6 billion cookies stolen, with others like Vidar (10B) and LummaC2 (9B) following suit. 

Dozens of newer stealer strains (e.g. RisePro, Stealc, Nexus, Rhadamanthys) also contributed to the haul. 

These malware strains infect victim machines (often via phishing or cracked software), then extract browser data, such as passwords, cookies, and autofill information, and funnel it to cybercriminals. The result is a thriving market for stolen session cookies, available to hackers for a price.

Scale and significance

Having 94 billion pieces of session data floating around the dark web is a security nightmare. 

A significant percentage of the stolen cookies are still “active,” tied to ongoing browser sessions, which means hundreds of millions of potential account hijacks waiting to happen.

The leak spans 253 countries, with the highest concentrations of stolen cookies from users in Brazil, India, Indonesia, Vietnam, and the United States (3.6 billion belonging to US accounts). 

Top Platforms Affected	Estimated Stolen Cookies
Google Services (incl. Gmail)	~4.5 billion
YouTube	~1.3 billion
Microsoft (Outlook, Teams, etc.)	~1.1 billion

How Stolen Cookies Enable Session Hijacking & Account Takeovers

Stolen browser cookies may sound benign; after all, they’re just small text files that help websites remember you. But in the wrong hands, a session cookie can be even more dangerous than a stolen password. 

These cookies often contain authentication tokens or session IDs that tell a website you’ve already logged in. If a hacker obtains that token, they can masquerade as you, accessing your accounts without ever needing your username, password or 2FA. This is the essence of session hijacking: the attacker rides on your existing login session.

One particularly concerning aspect is the ability to bypass multi-factor authentication (MFA). Many services skip MFA checks for returning users with a valid session cookie (especially those “Remember Me” tokens that keep you logged in). 

The FBI warned in late 2024 that cybercriminals were actively stealing these “Remember Me” cookies to sidestep MFA and take over email accounts. Once in possession of a valid session cookie, an attacker can often login as you with no MFA challenge or credentials needed. 

The endgame of cookie theft is usually account takeover, whether that’s your email, bank account, cloud admin console, or social media. Stolen cookies have been used in some high-profile breaches. 

For example, in the 2023 Okta support breach, hackers leveraged stolen browser session cookies to access internal customer support systems. Armed with valid sessions, they could roam freely inside Okta’s support tools, impersonating staff. 

Why Businesses Should Be Concerned

It’s easy to view cookie theft as an “individual user” problem until you realize how often it directly leads to enterprise breaches. 

Modern businesses heavily rely on web apps and cloud services, which means employees carry around browser cookies granting access to corporate data. If an employee’s device gets hit with an infostealer, those seemingly innocuous cookies can become backdoors for hackers into company systems.

Many cloud admin portals, SaaS dashboards, and enterprise apps use long-lived sessions for user convenience. An active AWS console session cookie or Azure AD token on an engineer’s laptop, if stolen, is basically an all-access pass for an intruder. 

Actionable Steps for Security Teams

For CISOs and security teams, the explosion in stolen cookies and credentials calls for a proactive strategy. Here are some steps to consider:

Implement continuous dark web monitoring for your organization’s emails, domains, and critical user accounts. Early exposure alerts are crucial. if you know an employee’s credentials or session token are compromised, you can respond before attackers leverage it. Services like Twilight Cyber’s Identity Guardian or similar credential exposure tools can provide this visibility.

Invalidate suspect sessions immediately. Develop the capability (via IAM solutions or CASBs) to centrally revoke web session tokens. If an employee reports a lost device or you receive an infostealer alert, kill all active sessions for their accounts. This forces fresh authentication and can thwart silent cookie-based hijacks.

Integrate a compromised credential check at login for both customer-facing and internal logins. If you know a password is exposed in a breach, don’t allow it to be used prompt a reset. Similarly, treat new device logins with an active session cookie as suspicious; require re-authentication if possible, especially for privileged accounts.

Twilight Cyber makes this easy with real-time account takeover prevention (ATOP).

Reduce cookie persistence and “remember me” usage on sensitive apps. While user convenience is important, balancing session lifetime is key. For admin portals or financial systems, consider shorter session durations and avoid long-lived cookies. Educate users about the risks of the “Remember Me” checkbox, especially for corporate accounts on shared or high-risk devices.

Fighting Back with Real-Time Detection, Powered by Twilight Cyber

Twilight Cyber has deployed thousands of sensors across deep and dark web sources to detect any stolen data circulating across TOR marketplaces, private Telegram channels, and credential dump sites.

Our technology allows us to remain present in closed criminal communities “where others cannot,” gathering critical information in near real-time.

How the platform works

The moment Twilight’s system detects a credential or cookie tied to your organization, it automatically generates an alert within hours, long before that data is public on forums or markets.

This speed is key. (Compare that to traditional breach notifications which might come months after an incident – the average is ~194 days

Each alert includes actionable context: the compromised account, device fingerprint, malware name, and file path. That means your team can quickly isolate the infected machine, revoke active sessions, and block further access.

Twilight also integrates into your authentication flows and SIEM/EDR tools. If someone tries to log in using stolen credentials, the system flags the attempt instantly and can force a password reset or re-authentication,neutralizing the threat on the spot.

Traditional Threat Detection vs. Twilight’s Real-Time Monitoring

Feature	Traditional Threat Intel	Twilight Cyber
Detection Speed	Days to months	Minutes–hours
Dark Web Coverage	Limited / passive	50K+ sources
Session Cookie Detection	Rare	Yes
Alert Context (device, malware)	Minimal	Detailed
Integrated Response	Manual	Automated

Want to see Twilight in action? Use your FREE demo now. 

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox