Skip to main content

Warning: Hackers could take over your email account by stealing cookies, even if you have multi-factor authentication (MFA)

 



Posted: November 5, 2024 by Pieter Arntz

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up.

Here’s how it works.

Most of us don’t think twice about checking the “Remember me” box when we log in. When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID. This session ID is stored in a session cookie (or a “Remember-Me cookie” as the FBI calls it) on your browser, which is typically valid for 30 days.

Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system.

If someone steals the session cookie, they can log in as you—even if you have MFA enabled.

This is particularly relevant for email handlers that have an online—webmail—component. This includes major players like Gmail, Outlook, Yahoo, and AOL.

With access to your email account, a cybercriminal can find a lot of useful information about you, such as where you bank, your account numbers, your favorite shops, and more. This information could then be used for targeted cyberattacks that only mention information relevant to you, leaving you more likely to fall for them.

Cybercriminals could use your account to spread spam and phishing emails to your contacts. And perhaps most worrying of all, once an attacker is in your email account they can reset your passwords to your other accounts and login as you there too.

How do these criminals get their hands on your session cookies? There are several ways.

On very rare occasions, session cookies can be stolen by you visiting a malicious website, or via a Machine-in-the-Middle (MitM) attack where a cybercriminal can intercept traffic and steal cookies if they’re not protected by HTTPS on an unsecured network.

However, session cookies are usually stolen by malware on the your device. Modern information-stealing malware is capable of, and even focuses on, stealing session cookies as part of its activity.  

How to keep your email account safe

There are a few things you can do to stay safe from the cookie thieves:

  • Use security software on every device you use.
  • Keep your devices and the software on them up to date, so there aren’t any known vulnerabilities on them.
  • Decide whether you think it’s worth using the Remember me option. Is convenience worth the risk in this situation?
  • Delete cookies, or—even better—log out when you are done. That should also remove or invalidate the session ID from the server, so nobody can use it to log in, even if they have the session cookie.
  • Only visit sites with a secure connection (HTTPS) to protect your data from being intercepted during transmission.
  • For important accounts regularly check the log in history where you can see which devices logged in when and from where. You should be able to find this option in your account settings.

Comments

Post a Comment

Please no profanity or political comments.

Popular posts from this blog

Birth of the Weekend

  Birth of the Weekend   Today marks 100 years since Ford Motor Company became one of the first American companies to officially adopt the five-day, 40-hour workweek for factory workers, a decision that reshaped work-life balance. Henry Ford’s idea to eliminate Saturday from the workweek initially met hesitation from some hourly workers worried about reduced pay. However, his daily wages of $5 to $6—roughly double the industry average—helped to ease concerns ( read 1920s reactions ). Ford reportedly redirected Saturday wages to hire thousands more people for Monday through Friday shifts, reducing unemployment. The move also boosted productivity, reduced turnover, strengthened morale, and gave workers more leisure time, some of which they spent buying and traveling in Ford cars.  The US formally codified the 40-hour workweek in 1940, mandating overtime pay for hourly employees. More recently, momentum has grown aro...
Post a Comment
Read Complete Article HERE>»

Fed Keeps Interest Rates on Hold in Split Decision at Final Meeting of Powell Era

  By  Keith Griffith April 29, 2026 In an unexpectedly close split decision,  Federal Reserve policymakers  have decided to keep interest rates on pause in what is likely to be the final meeting under the supervision of Fed Chair  Jerome Powell . Powell joined the 8-4 majority on the  Federal Open Market Committee  to vote in favor of leaving the  federal funds rate unchanged  at Wednesday's meeting in Washington, DC, judging inflation as running too hot to justify a rate cut. At a press conference after the vote, Powell revealed that he will remain on the board of governors as a regular member after his term as chairman ends, saying: "After my term as chair ends on May 15, I will continue to serve as a governor for a period of time to be determined. I plan to keep a low profile as a governor. There is only ever one chair of the Federal Reserve Board." Read the complete story here.
Post a Comment
Read Complete Article HERE>»

How did the Supreme Court become so powerful?

  A court designed to be the least powerful branch became one of the most influential institutions in history. 1440 Explores host Sony Kassam dives inside the Supreme Court of the United States, with help from Yale Law professor Akhil Reed Amar, to uncover how it gained extraordinary authority, what really happens behind closed doors, and why its power has become one of the most fiercely contested questions in modern democracy. ================================================= Remember, you're not alone with  NCOFCU.org Join/Upgrade Check out some of NCOFCU's additional features: Annual Conference First Responder Credit Union Academy Financial Literacy Podcasts YouTube Mini's Advocacy  
Post a Comment
Read Complete Article HERE>»

Syracuse Fire Department Credit Union.

  ================================================= Remember, you're not alone with  NCOFCU.org Join/Upgrade Check out some of NCOFCU's additional features: Annual Conference First Responder Credit Union Academy Financial Literacy Podcasts YouTube Mini's Advocacy  
Post a Comment
Read Complete Article HERE>»

How's Your Posture?

      April Blog   How's Your Posture?   Scenario Planning Is Dead! Long Live Strategic Posture. by That One Consultant You Hired and Then Ignored   Somewhere in your credi...
Post a Comment
Read Complete Article HERE>»

Boston Firefighters Credit Union Taps Tech Leader Elizabeth Adcock to Drive Digital Future

  Boston Firefighters Credit Union is bringing in some serious digital firepower. The organization just named Elizabeth Adcock as its new Chief Digital & Information Officer—a role that’s all about steering the credit union into a more tech-savvy, member-focused future. If you’re wondering why this matters, consider the timing. BFCU is in the middle of a major digital evolution, expanding its reach across Massachusetts while staying true to its core mission: serving first responders and their families. Enter Adcock, a technology executive with a track record of turning complex tech challenges into real-world wins. “I’m thrilled to welcome Elizabeth as our Chief Digital & Information Officer,” said Danielle Milner, President & CEO of Boston Firefighters Credit Union. “She is the rare combination of strategic vision, digital expertise, and human-centered leadership. Paired with her deep commitment to bring greater innovation to first responders and their families, her ser...
Post a Comment
Read Complete Article HERE>»

IRS Reporting Proposal Scaled Back, but Still 'Flawed'

On Tuesday, Senate Democrats distributed an update to the controversial IRS reporting requirements that the credit union industry has been very vocally opposed to since it was unveiled in late June. According to the updated proposal rolled out Tuesday, it would require financial institutions to report inflows and outflows of personal and business accounts, as well as transfers between accounts of the same owner, if it is more than $10,000 per year. The proposal floating around for the past four months had the threshold at $600 per year. The requirements do not apply to payroll deposits for wages or to those receiving Social Security benefits. In response to the updated IRS reporting proposal, NAFCU President/CEO Dan Berger said, “It has become abundantly clear that Americans oppose the IRS obtaining additional information on their financial accounts. The updated plan is nothing more than window dressing in an attempt to shore up support for a flawed proposal. Instead of creating financ...
Post a Comment
Read Complete Article HERE>»

Reactions To Historic NAFCU/CUNA Merger

By Ray Birch CUToday WASHINGTON–Just what will the proposed merger between CUNA and NAFCU mean to individual credit unions? A survey of CUToday.info of CEOs across the country has found generally neutral to positive reactions, with many taking a wait-and-see approach, but others having concerns over a lack of “checks and balances,” compensation paid to association executives, and fewer resources for smaller credit unions. The CUToday.info poll of CEOs on the question of having just one national trade association representing the nation’s 4,800 credit unions also found many see benefits from the consolidation, such as a stronger and more unified voice in Washington, greater efficiencies and potentially lower overall costs for membership. CUToday.info has made multiple attempts to get additional comment from CUNA and NAFCU beyond the statements issued earlier this week and asking for more details on the merger and what lies ahead, but both trade groups have declined comment...
Post a Comment
Read Complete Article HERE>»

Ten-Year Treasury Hits a 15-Year High

WASHINGTON–The yield on the 10-year U.S. Treasury note has hit a 15-year high, which could lead to higher costs for many borrowers. The increase in yields is also “raising concern” on Wall Street about the potential fallout in the stock, bond and housing markets, the Wall Street Journal added. A key benchmark for interest rates across the economy, the 10-year yield settled at 4.258%, according to Tradeweb, up from 4.220% earlier this week, marking its highest close since June 2008, months before the collapse of Lehman Brothers and expansive Federal Reserve policy “ushered in more than a decade of historically low bond yields,” the Journal added. ‘Nervous’ Investors “The rise in yields is making investors nervous, because past surges have at...
Post a Comment
Read Complete Article HERE>»

NAFCU - Vehicle Sales Decline During 2017

ARLINGTON, Va.—Vehicle sales in 2017 totaled 17.23 million units, non-seasonally adjusted, marking the first year-over-year sales decline since 2009. Total vehicle sales increased in December to 17.85 million seasonally adjusted, annualized units but were down 1.7% from a year ago. "Looking ahead, sales are expected to trend down further in 2018 as pent-up demand from earlier years diminishes," observed NAFCU Research Assistant Yun Cohen in a Macro Data Flash report. "In addition, banks are tightening standards on auto loans according to a recent survey by the Federal Reserve, which could lead to credit constraints. Despite the slowdown, vehicle sales are expected to remain strong in light of a strong labor market and growing economy." According to data by Autodata Corp., car sales decreased from 6.3 million to 6.1 million annualized units during the month. However, sales of light trucks increased from 11.2 million to 11.8 million annualized units, Cohen no...
Post a Comment
Read Complete Article HERE>»