Skip to main content

Warning: Hackers could take over your email account by stealing cookies, even if you have multi-factor authentication (MFA)

 



Posted: November 5, 2024 by Pieter Arntz

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up.

Here’s how it works.

Most of us don’t think twice about checking the “Remember me” box when we log in. When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID. This session ID is stored in a session cookie (or a “Remember-Me cookie” as the FBI calls it) on your browser, which is typically valid for 30 days.

Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system.

If someone steals the session cookie, they can log in as you—even if you have MFA enabled.

This is particularly relevant for email handlers that have an online—webmail—component. This includes major players like Gmail, Outlook, Yahoo, and AOL.

With access to your email account, a cybercriminal can find a lot of useful information about you, such as where you bank, your account numbers, your favorite shops, and more. This information could then be used for targeted cyberattacks that only mention information relevant to you, leaving you more likely to fall for them.

Cybercriminals could use your account to spread spam and phishing emails to your contacts. And perhaps most worrying of all, once an attacker is in your email account they can reset your passwords to your other accounts and login as you there too.

How do these criminals get their hands on your session cookies? There are several ways.

On very rare occasions, session cookies can be stolen by you visiting a malicious website, or via a Machine-in-the-Middle (MitM) attack where a cybercriminal can intercept traffic and steal cookies if they’re not protected by HTTPS on an unsecured network.

However, session cookies are usually stolen by malware on the your device. Modern information-stealing malware is capable of, and even focuses on, stealing session cookies as part of its activity.  

How to keep your email account safe

There are a few things you can do to stay safe from the cookie thieves:

  • Use security software on every device you use.
  • Keep your devices and the software on them up to date, so there aren’t any known vulnerabilities on them.
  • Decide whether you think it’s worth using the Remember me option. Is convenience worth the risk in this situation?
  • Delete cookies, or—even better—log out when you are done. That should also remove or invalidate the session ID from the server, so nobody can use it to log in, even if they have the session cookie.
  • Only visit sites with a secure connection (HTTPS) to protect your data from being intercepted during transmission.
  • For important accounts regularly check the log in history where you can see which devices logged in when and from where. You should be able to find this option in your account settings.

Comments

Post a Comment

Please no profanity or political comments.

Popular posts from this blog

Birth of the Weekend

  Birth of the Weekend   Today marks 100 years since Ford Motor Company became one of the first American companies to officially adopt the five-day, 40-hour workweek for factory workers, a decision that reshaped work-life balance. Henry Ford’s idea to eliminate Saturday from the workweek initially met hesitation from some hourly workers worried about reduced pay. However, his daily wages of $5 to $6—roughly double the industry average—helped to ease concerns ( read 1920s reactions ). Ford reportedly redirected Saturday wages to hire thousands more people for Monday through Friday shifts, reducing unemployment. The move also boosted productivity, reduced turnover, strengthened morale, and gave workers more leisure time, some of which they spent buying and traveling in Ford cars.  The US formally codified the 40-hour workweek in 1940, mandating overtime pay for hourly employees. More recently, momentum has grown aro...
Post a Comment
Read Complete Article HERE>»

How did the Supreme Court become so powerful?

  A court designed to be the least powerful branch became one of the most influential institutions in history. 1440 Explores host Sony Kassam dives inside the Supreme Court of the United States, with help from Yale Law professor Akhil Reed Amar, to uncover how it gained extraordinary authority, what really happens behind closed doors, and why its power has become one of the most fiercely contested questions in modern democracy. ================================================= Remember, you're not alone with  NCOFCU.org Join/Upgrade Check out some of NCOFCU's additional features: Annual Conference First Responder Credit Union Academy Financial Literacy Podcasts YouTube Mini's Advocacy  
Post a Comment
Read Complete Article HERE>»

Fed Keeps Interest Rates on Hold in Split Decision at Final Meeting of Powell Era

  By  Keith Griffith April 29, 2026 In an unexpectedly close split decision,  Federal Reserve policymakers  have decided to keep interest rates on pause in what is likely to be the final meeting under the supervision of Fed Chair  Jerome Powell . Powell joined the 8-4 majority on the  Federal Open Market Committee  to vote in favor of leaving the  federal funds rate unchanged  at Wednesday's meeting in Washington, DC, judging inflation as running too hot to justify a rate cut. At a press conference after the vote, Powell revealed that he will remain on the board of governors as a regular member after his term as chairman ends, saying: "After my term as chair ends on May 15, I will continue to serve as a governor for a period of time to be determined. I plan to keep a low profile as a governor. There is only ever one chair of the Federal Reserve Board." Read the complete story here.
Post a Comment
Read Complete Article HERE>»

Syracuse Fire Department Credit Union.

  ================================================= Remember, you're not alone with  NCOFCU.org Join/Upgrade Check out some of NCOFCU's additional features: Annual Conference First Responder Credit Union Academy Financial Literacy Podcasts YouTube Mini's Advocacy  
Post a Comment
Read Complete Article HERE>»

How's Your Posture?

      April Blog   How's Your Posture?   Scenario Planning Is Dead! Long Live Strategic Posture. by That One Consultant You Hired and Then Ignored   Somewhere in your credi...
Post a Comment
Read Complete Article HERE>»

Boston Firefighters Credit Union Taps Tech Leader Elizabeth Adcock to Drive Digital Future

  Boston Firefighters Credit Union is bringing in some serious digital firepower. The organization just named Elizabeth Adcock as its new Chief Digital & Information Officer—a role that’s all about steering the credit union into a more tech-savvy, member-focused future. If you’re wondering why this matters, consider the timing. BFCU is in the middle of a major digital evolution, expanding its reach across Massachusetts while staying true to its core mission: serving first responders and their families. Enter Adcock, a technology executive with a track record of turning complex tech challenges into real-world wins. “I’m thrilled to welcome Elizabeth as our Chief Digital & Information Officer,” said Danielle Milner, President & CEO of Boston Firefighters Credit Union. “She is the rare combination of strategic vision, digital expertise, and human-centered leadership. Paired with her deep commitment to bring greater innovation to first responders and their families, her ser...
Post a Comment
Read Complete Article HERE>»

Fed still holds off on rate increase | 2015-07-30 | CUNA News

  WASHINGTON (7/30/15)--Citing “moderate” economic expansion, the Federal Open Market Committee continues to do “a balancing act,” said CUNA Senior Economist Perc Pineda. The Federal Reserve’s monetary policy-making body completed its meeting Wednesday without edging up the federal funds interest rate. Fed Chair Janet Yellen has said the committee will opt for an interest-rate increase sometime this fall. The July meeting, however, was not the time. “The Federal Reserve continues to do a balancing act: the U.S. economy is not in a recession and definitely not overheating,” Pineda told News Now . “Changes in monetary policy after all are meant to influence an underperforming or an overheating economy.” Household spending growth has been moderate, and housing has shown additional improvement, the committee said. Labor conditions continue to improve with declining unemployment and solid job gains. Inflation is anticipated to remain near its recent low level in the near term,...
Post a Comment
Read Complete Article HERE>»

IRS Reporting Proposal Scaled Back, but Still 'Flawed'

On Tuesday, Senate Democrats distributed an update to the controversial IRS reporting requirements that the credit union industry has been very vocally opposed to since it was unveiled in late June. According to the updated proposal rolled out Tuesday, it would require financial institutions to report inflows and outflows of personal and business accounts, as well as transfers between accounts of the same owner, if it is more than $10,000 per year. The proposal floating around for the past four months had the threshold at $600 per year. The requirements do not apply to payroll deposits for wages or to those receiving Social Security benefits. In response to the updated IRS reporting proposal, NAFCU President/CEO Dan Berger said, “It has become abundantly clear that Americans oppose the IRS obtaining additional information on their financial accounts. The updated plan is nothing more than window dressing in an attempt to shore up support for a flawed proposal. Instead of creating financ...
Post a Comment
Read Complete Article HERE>»

What Trump’s ‘one big beautiful’ tax-and-spending package means for your money!

  Trump’s megabill will bring sweeping changes for household finances. President  Donald Trump  signed his “one big beautiful” tax-and-spending package on July 4 — legislation that will bring sweeping changes to Americans’ finances.  After the  Senate passed its version  on July 1, the House Republicans on July 3  voted to approve  the multi-trillion-dollar domestic policy legislation and send it to Trump’s desk for signature. The final bill makes permanent Trump’s  2017 tax cuts  while adding new relief, including a senior “bonus” to  offset Social Security taxes  and a  bigger state and local tax deduction . The plan also has tax breaks for  tip income , overtime pay and  auto loans , among other provisions.  The GOP’s marquee legislation will also enact deep spending cuts to social safety net programs such as  Medicaid  and food stamp benefits,  end tax credits tied to clean energy  an...
Post a Comment
Read Complete Article HERE>»

2 Historical Moments: CUNA Mutual Officially Changes Name Today, As Union Also Calls Strike

MADISON, Wis.–One of the most iconic names in credit unions and credit union history in the U.S. will officially change today when CUNA Mutual Group begins operating under the TruStage brand across the enterprise. All enterprise, business-to-business and consumer brands are now unified under the single brand name of TruStage, which the company has been using for some of its products for a number of years. The new brand is being introduced at the same time approximately 450 employees represented by Office & Professional Employees Local 39 have gone on strike. It is the first strike in the company and the union's history. As CUToday.info has been reporting, the company and the union have been at an impasse since February of 2022, when t...
Post a Comment
Read Complete Article HERE>»