Experts at cybersecurity company NordVPN explain how hackers can break into your accounts without stealing your passwords
Hackers can indeed unlock Internet users’ accounts without stealing their passwords, according to NordPass, the password manager created by the team behind NordVPN. Active cookie sessions, sophisticated phishing, or multi-factor authentication (MFA) prompt bombing attacks are extremely common to gain an illegitimate access to others’ digital privacy online.
“We might have a steel door with three locks, and yet someone can break into our home through the window, especially if we leave it open ourselves,” said Gerald Kasulis, VP of Business Operations at NordPass. “The same rationale is applied by hackers in the digital world, making use of human mistakes, and the lack of our cyber awareness.”
Hackers want your cookies
With ever-increasing malware attacks worldwide, threat actors have learned to steal cookies from our browsers, and use them to access various accounts. In fact, according to the latest research by NordVPN, there are more than 54 billion cookies leaked on the dark web, and 17% of them are active.
Kasulis explains that once an Internet user logs in to their account with a password and MFA, the server gives the user a cookie. When the user comes back to the same website, the server recognises a cookie, and does not ask to type in the login credentials again. However, if this cookie is stolen and is still active, a hacker can break into your account without the password or MFA confirmation.
MFA bombing plays on human inattentiveness
Another prevalent way hackers access online accounts without actually stealing passwords is MFA prompt bombing, also known as MFA fatigue. Hackers barrage their targets with hundreds of authentication requests until they approve one either out of annoyance to stop push notifications, or simply due to habit.
“Imagine a hacker is aiming to get access to your bank account,” said Kasulis. “In many cases they only need your username or email address to initiate an MFA approval. Since you probably use an authentication app to verify your identity each time you login, you will get a notification to accept, sometimes with a request for a pin, fingerprint, or a face scan. Many of these things we do automatically, so falling for this scam is easy.”
Phishing attacks are only getting more advanced
“Attackers sometimes do not even need to steal our passwords because we kindly give it out ourselves,” said Kasulis. This comes down to phishing attacks - the most prevalent cyber threat, responsible for 16% of data breaches in 2023, as revealed by IBM. Usually presented with a link to a falsified website via email or text, people are being tricked into sharing their sensitive details, including login credentials, with a hacker.
“This is a massive issue, given how sophisticated phishing attacks have become in the past years. The emergence of AI has also sped up this process because it allows crafting more personalised and convincing content. Phishing attacks have a proven record of misleading even the most advanced Internet users - we all sometimes get tired, lose focus, and hackers know they can make use of that.”
How can you secure yourself from such threats?
To access Internet users’ accounts without having a password, hackers often exploit human factors, such as confusion, tiredness, and inattentiveness. NordPass advises limiting distractions online, enabling only the most important notifications, and reducing the number of online accounts and apps on the phone.
According to Kasulis, people should create a habit of deleting their browser information, including cookies, regularly. It is also important to critically evaluate the information you present online publicly - even your email address and phone number can help hackers initiate certain attacks.
Various online cybersecurity platforms are also handy in response to hackers’ attacks. This includes threat protection tools, which block malicious sites and check downloads for malware. Platform managers, including NordPass, also have data breach monitoring features, which scan the Internet for data leaks, and allow for timely response in case of a breach.