NordVPN adds hijacked session alerts to warn users of stolen cookies on dark web

NordVPN has introduced a hijacked session alert, a new feature designed to protect users from stolen authentication cookies being sold on the dark web.

The new feature forms part of the company’s Threat Protection Pro service and sends immediate notifications when active session data is compromised, giving users the chance to act before criminals are able to exploit their accounts.

SEE ALSO: Organizations face growing email security crisis

The tool monitors data breach repositories and detects when authentication cookies from browsing sessions appear online. Stolen session cookies let cybercriminals bypass two-factor authentication, making them especially dangerous. By using info stealers or SQL injection attacks, criminals extract cookies and trade them on darknet markets.

NordVPN vs. hackers

"Session hijacking is one of the most dangerous threats that internet users face today because it bypasses two-factor authentication protection," says Domininkas Virbickas, NordVPN product director. "For example, users can log into a well-secured website like a social media platform, pass 2FA verification, but have their session cookie stolen. These cookies often remain valid for 30 days, giving hackers more than enough time to use accounts and cause significant damage.”

The feature works by scanning authentication cookies from popular sites without exposing sensitive details. Instead of transmitting the cookie itself, NordVPN hashes it and checks part of the hash against known threats stored in its database. If a possible leak is detected, the system verifies it on the user’s device. Alerts appear directly in the affected browser tab, alongside advice to log out of all platforms and change passwords.

NordStellar, the company’s cyber threat intelligence platform, supports the alert with continuous dark web monitoring. The system tracks a database of around 130 billion cookies for cross-referencing, allowing it to identify leaks without using personal identifiers such as emails or passwords.

Stolen sessions pose serious risks because criminals can make purchases, transfer money, or steal personal data undetected.

For businesses, breaches can also mean regulatory fines and reputational damage.

Virbickas stresses that swift response is crucial: "Threat Protection Pro helps users identify when their session is compromised, but users need to act fast and immediately change passwords on the affected website and log out from all devices when they receive an alert. Speed remains essential because malicious actors work quickly to exploit stolen credentials before victims can respond.”

What do you think about NordVPN’s hijacked session alert? Let us know in the comments.

Image Credit: NordVPN