Token Theft
The theft of authentication or session tokens to gain unauthorised access to accounts without needing the victim's password or MFA code.
Also known as: session token theft, cookie theft, access token hijacking
Last reviewed: 1 June 2026
Authentication tokens — including session cookies, OAuth access tokens, and JSON Web Tokens (JWTs) — are issued by services after a successful login to maintain an authenticated session. Token theft occurs when an attacker obtains one of these tokens and replays it to impersonate the victim, bypassing the need for credentials or multi-factor authentication entirely.
Tokens can be stolen through a variety of means: malware that reads browser cookie stores, adversary-in-the-middle (AiTM) proxies that intercept tokens during authentication, cross-site scripting (XSS) vulnerabilities on web applications, or malicious browser extensions. The stolen token retains the same access rights as the legitimate session until it expires or is revoked.
Token theft is increasingly attractive to attackers because it sidesteps MFA — once a token is issued post-authentication, re-authentication is not triggered for normal use. Defences include token binding (tying tokens to a specific device or IP), short token lifetimes, continuous authentication signals, and monitoring for impossible-travel or concurrent session anomalies.
Examples
- An attacker uses an AiTM phishing proxy to capture the session cookie issued after the victim completes MFA, then replays that cookie to access the victim's cloud email account from a different country.