Short answer

Session token theft, also called session hijacking or a pass-the-cookie attack, is the extraction of active authentication cookies from a user's browser by infostealer malware. These cookies represent authenticated sessions: whoever holds the cookie can access the account without entering credentials or completing MFA. Stolen session tokens are sold on criminal marketplaces and Discord servers, often within hours of the infection.

What is a session token

A session token is a piece of data (typically a cookie) that a server issues after successful authentication. It tells the server: this user has already proven their identity. As long as the token is valid, anyone holding it, legitimate user or attacker, can access the account without re-authenticating. In a pass-the-cookie attack, the attacker simply imports the stolen cookie into their browser and the server treats them as the authenticated user.

Why session tokens are more valuable than passwords

Stolen passwords can be mitigated: MFA blocks unauthorized login attempts, and password resets invalidate the stolen credential. Session tokens are different. They represent already-authenticated sessions. An attacker with a valid token skips the entire authentication flow, including MFA. The server sees a valid session and grants access.

This is why infostealers are considered more dangerous than traditional data breaches: they render stolen passwords irrelevant: session hijacking bypasses most authentication controls.

How long are stolen tokens valid

It depends on the application. Some services maintain sessions for days or weeks. Others expire after hours. Until the token expires or is explicitly revoked, it remains usable. This is why speed of detection matters: the faster you know a token has been stolen, the faster you can revoke it.

How Passguard helps

Passguard monitors the criminal marketplaces (dark web forums, Telegram, and Discord) where stolen session tokens are traded. When tokens linked to your organization's systems are detected, Passguard alerts your security team with the details needed to revoke the affected sessions before attackers can exploit them. Early detection is the key: the faster you revoke a stolen session, the smaller the window for exploitation. Want to see if your organization already has active sessions in circulation? Run a free scan at passguard.com.