UK consumers leaked 14 million internet cookies onto dark web, survey reveals


14 million internet browser cookies linked to UK consumers have been leaked on the dark web, a new study conducted from cybersecurity company NordVPN reveals.

More than 54 billion cookies worldwide were found to have been leaked on the dark web according to the latest research which found cookies belonging to people in 244 countries.

While cookies are mostly known as an essential tool for browsing, many consumers are unaware that they have become one of the key tools for hackers to steal data and gain access to sensitive systems.

How do cookies work and what risks do stolen cookies pose?

Internet cookies are tiny pieces of data that your computer or web browser stores when you visit a website. They track your engagement and behaviour within a website and help web pages remember your preferences.

Once the user logs in with a password and multi-factor authentication (MFA), the server gives the user a cookie. When the same user comes back with this cookie, the server recognises the cookie and knows that this user has already logged in — so there’s no need to ask for the same information again.

Even when you’re not logging in, once you click ‘accept all’ to cookies you are giving the site permission to store cookies and allow third-party cookies. Third parties can then track you across all of the sites they partner with, allowing them to see you moving from site to site.

If this information lands in the hands of a cybercriminal, they could know what your favourite websites are and what time you typically visit, allowing them to create sophisticated scams tailored to your own tastes.

What kind of cookies were found and where do they come from?

Out of the 54 billion cookies taken from people around the world, 17% – or nine billion – were found to be active. In the UK, that percentage was much higher – with 56% of all cookies leaked being considered active – the second highest in the world after North Korea. Active cookies are persistent and can track user behaviour long after someone has left a website.

While active cookies pose a greater danger, inactive ones still present a threat to user privacy, as well as the potential for hackers to use stored information for further abuse or manipulation.

More than 2.5 billion of the cookies in the dataset were from Google, with another 692 million from YouTube and over 500 million from Microsoft and Bing.

The most cookies came from Brazil, India, Indonesia, the US, and Vietnam. The most common country in Europe was Spain, with 554 million cookies in the dataset. Overall, there were 244 countries and territories represented in NordVPN’s dark web analysis, showing the breadth of coverage of these huge malware systems.

The largest keyword category (10.5 billion) was “assigned ID”, followed by “session ID” (739 million). These cookies are assigned or connected to specific users to keep sessions active or identify them on the website to provide services. These were followed by 154 million authentication and 37 million login cookies.

Name, email, city, password, and address were the most common details in the personal information category.

Up to 12 different types of malware were used to steal these cookies. Nearly 57% were collected by Redline, a popular infostealer and keylogger.

Says Adrianus Warmenhoven, a cybersecurity advisor at NordVPN:

“Millions of websites can convince browsers that accepting all cookies is essential to getting the most out of your experience and that it’s much less hassle to simply click ‘accept’. However, you might not know what you’re agreeing to.

“There is a real danger that many don’t realise that if a hacker gets hold of your active cookies, they might not need to know any logins, passwords, and even MFA to overtake your accounts.

“It’s important to understand that the cookie setup is necessary. There is no other way for a device to know which user operates it. Without cookies, the server cannot verify the user.

“However, if this cookie is stolen and is still active, an attacker can potentially login into your account without having your password or needing MFA. In addition, cookies can also hold other sensitive information, such as people’s names, location, sexual orientation and even your appearance.

“Cookies can gather all manner of details to give a very intimate picture of the user, which ultimately leads to scammers being able to create well-targeted attacks.

Chris Price
For latest tech stories go to