More than 54-billion cookies have been leaked on the dark web, according to the latest research conducted by independent researchers and released by NordVPN.

While cookies are mostly known as an essential tool for browsing, many are unaware that cookies have become one of the key tools for hackers to steal data and gain access to sensitive systems.

“Thanks to the cookie consent popups, we view cookies as a necessary, albeit annoying part of being online. However, many don’t realize that if a hacker gets hold of your active cookies, they might not need to know any logins, passwords, and even MFA to overtake your accounts,” says Adrianus Warmenhoven, a cybersecurity advisor at NordVPN.

He explains how cookies work: “Firstly, it’s important to understand that the cookie setup is necessary. There is literally no other way for a device to know which user operates it. Without cookies, the server cannot verify the user. To put it simply, once the user logs in with a password and MFA, the server gives the user a cookie.

“And the next time the same user comes back with this cookie, the server recognizes the cookie and knows that this user has already logged in — so there’s no need to ask for the same information again.”

However, if this cookie is stolen and is still active, an attacker can potentially login into your account without having your password or needing MFA.

In addition to the session data, cookies can also hold other sensitive information, such as people’s names, location, orientation, size and so on.

Out of 54-billion cookies that were analysed, 17% were active.

“It may seem that 17% is not that much, but it’s important to understand that it’s a huge amount of personal data — over 9-billion cookies,” says Warmenhoven. “And although active cookies present a greater risk, inactive ones still present a threat to user privacy, as well as the potential for hackers to use stored information for further abuse or manipulation.

More than 2,5-billion of all the cookies in the dataset were from Google, with another 692-million from Youtube. More than 500-million were from Microsoft and Bing.

“Cookies from such core accounts are particularly dangerous because they may be used to access further login details through, for example, password recovery, corporate systems, or SSO,” notes Warmenhoven.

South Africa places at the 32nd spot globally in terms of cookie count, with 176-million cookies in the dataset – and 30% of them still active.

The most cookies came from Brazil, India, Indonesia, the US, and Vietnam. Spain emerged as the most common European country with 554-million cookies. The UK, despite ranking 121st in terms of the number of cookies, demonstrated a high activity rate with over half of its cookies still active.

Overall, there were 244 countries and territories represented in the cookies data set, showing the breadth of coverage of these huge malware systems.

The largest keyword category (10,5-billion) was “assigned ID,” followed by “session ID” (739-million), the cookies assigned or connected to specific users in order to keep sessions active or identify them on the website to provide services. These were followed by 154-million authentication and 37-million login cookies.

Name, email, city, password, and address were most common in the personal information category.

“If you combine all of these details with age, size, gender, or orientation, you will get a very intimate picture of the user, which can allow for well-targeted scams or attacks,” notes Warmenhoven.

Up to 12 different types of malware were used to steal these cookies. Nearly 56% were collected by Redline, a popular infostealer and keylogger.