South Africa has landed a troubling spot on the global leaderboard for leaked cookies, ranking 35th out of 253 countries.
According to NordVPN, 546-million cookies linked to South African users have been found on the dark web.
Although cookies are commonly seen as helpful for improving online experiences, many don’t realize that hackers can exploit them to steal personal data and access secure systems.
“Cookies may seem harmless, but in the wrong hands, they’re digital keys to our most private information,” says Adrianus Warmenhoven, cybersecurity expert at NordVPN. “What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide.”
Cookies are small text files that websites store on a user’s browser to remember preferences, login details, and browsing behavior. They play a vital role in making online experiences smoother, helping websites load faster, keeping shopping carts full, and allowing users to stay logged in across sessions. Without cookies, the convenience and personalisation of the modern web would be severely limited.
However, as the digital landscape evolves, so does the misuse of these tools. Cybercriminals have learned to harvest cookies to hijack sessions, steal identities, and bypass security measures.
“Most people don’t realize that a stolen cookie can be just as dangerous as a password,” says Warmenhoven. “Once intercepted, a cookie can give hackers direct access to accounts and sensitive data, no login required.”
NordVPN’s research reveals a massive malware operation that stole almost 94-billion cookies — a dramatic jump from 54-billion just a year ago, marking a 74% increase.
Even more concerning, 20,55% of these cookies are still active, posing an ongoing risk to users’ online privacy. Most stolen cookies came from major platforms, including Google (4,5-billion), YouTube (1,33-billion), and over 1-billion each from Microsoft and Bing.
The growth is just as alarming when comparing personal data exposure over the past few years. In 2024, NordVPN identified 10,5-billion assigned IDs, 739-million session IDs, 154-million authentication tokens, and 37-million login credentials.
In 2025, those numbers rose sharply, with 18-billion assigned IDs and 1,2-billion session IDs now exposed.
These data types are critical for identifying users and securing their online accounts, making them highly valuable to cybercriminals.
The stolen information often included full names, email addresses, cities, passwords, and physical addresses – key personal data that can be used for identity theft, fraud and unauthorised account access.
The data was harvested using 38 different types of malware, more than triple the 12 types identified last year. The most active strains were Redline (41,6-billion cookies), Vidar (10-billion), and LummaC2 (9-billion). These malware families are known for stealing login details, passwords, and other sensitive data.
Redline is a powerful infostealer that extracts saved passwords, cookies, and autofill data from browsers, giving hackers direct access to personal accounts.
Vidar works similarly but also downloads additional malware, making it a gateway to more complex attacks.
LummaC2 is particularly evasive, frequently updating its tactics to slip past antivirus tools and spread across systems undetected.
In addition to these known threats, researchers discovered 26 new types of malware not seen in 2024 – a sign of how quickly the cybercrime landscape is evolving. New entries like RisePro, Stealc, Nexus, and Rhadamanthys are especially dangerous. RisePro and Stealc are built to rapidly steal browser credentials and session data, while Nexus targets banking information using mobile emulation techniques. Rhadamanthys stands out with its stealthy design and ability to deploy follow-up malware, making it a multipurpose threat capable of causing extensive damage.
The stolen cookies came from users in 253 countries. South Africa ranked 35th in total volume, with 9,35% of the cookies being active. However, that still represents over 51-million cookies tied to real user activity – a massive potential exposure.
“Even a small percentage of a huge dataset is massive,” says Warmenhoven. “That’s millions of people potentially exposed to cybercrime.”
NordVPN recommends that users stay vigilant online to protect themselves from the risks posed by data breaches and malware. They should start by using strong, unique passwords for every account and enabling multifactor authentication (MFA) whenever possible. Additionally, users are urged to be cautious about sharing personal information and avoid clicking on suspicious links or downloading unknown files.
Another crucial step is keeping devices up to date, which can help block harmful malware before it can compromise your system. Regularly cleaning site data is also essential. Many users don’t realize that active sessions may persist even after they close their browser. Clearing this data helps reduce the window of opportunity for unauthorized access.
Lastly, users should always check the privacy settings on their online accounts to ensure they only share information with trusted services.
“Usually, people close the browser, but the session is still valid, and the cookie is still there. If you never clean that site data, that session will be valid for as long as the site owner deems it secure,” says Warmenhoven. “Taking basic precautions like using strong passwords, enabling MFA, and staying alert online can significantly reduce the risk of falling victim to cyberattacks. It’s a small investment of time that can protect you from big threats.”