New Google Account Takeover via Session Cookie Theft
Scammers use malware or malicious browser extensions to steal Google session cookies, bypassing two-factor authentication entirely and giving attackers persistent access to Gmail, Drive, and YouTube accounts.
Part of: New Account Takeover
Last reviewed: 8 June 2026
Google's two-factor authentication has significantly raised the difficulty of password-only account attacks. Criminals have responded by targeting the session cookies that keep you logged in to your Google account after a successful authentication, rather than the credentials themselves.
A stolen session cookie is a token that tells Google 'this browser is already authenticated'. When an attacker imports this cookie into their own browser, Google's systems see it as an already-verified session and grant full access — bypassing the need for a password or a two-factor code.
Session cookies are stolen through infostealers distributed via fake software downloads, malicious browser extensions, or compromised websites. The attack is particularly dangerous for Google accounts because they often provide single sign-on access to a vast range of other services.
How this scam works on the Google brand
Google account sessions are the target, not the password. Infostealer malware installed on a victim's device can read the browser's session-cookie database directly from disk. Because Google's cookies are stored in the browser profile, any malware with access to the file system can harvest them.
The victim might have encountered the infostealer as a fake software crack, a pirated game, a fake browser extension promoted via an ad, or a malicious macro in a document. The infostealer harvests not just Google cookies but all browser-stored credentials and sends the entire package to the attacker's command-and-control server.
Attackers then import the Google cookie into their own browser using a cookie-editor tool. Google immediately recognises it as a valid authenticated session. Attackers prioritise Gmail for password reset interception, Google Drive for sensitive documents, and YouTube channels for their commercial value.
Common red flags
- You find yourself unexpectedly signed out of Google across all devices simultaneously.
- Google's security alert emails notify you of new devices or unusual activity you did not initiate.
- Your Gmail shows password reset emails for other services that you did not request.
- YouTube channels or Google Drive files show activity you did not perform.
- A recently installed browser extension or software is flagged by your antivirus.
- Your Google account's recent security activity at myaccount.google.com shows unfamiliar device sign-ins.
How to protect yourself
- Regularly review active Google sessions at myaccount.google.com/device-activity and sign out of any you do not recognise.
- Use a hardware security key for your Google account — passkey-based authentication is much more resistant to session attacks.
- Be highly selective about browser extensions — install only from reputable developers and review permissions carefully.
- Avoid downloading software from unofficial sources; use official websites or verified software repositories.
- Run a reputable antivirus and browser security scan periodically to detect infostealers before they exfiltrate data.
- Enable Google's Enhanced Safe Browsing at myaccount.google.com/security to get stronger protection against malicious downloads.
How to report it
- Report account compromise to Google at myaccount.google.com/security using the 'Review your devices' and 'Review recent security activity' tools.
- Report malicious browser extensions to the Chrome Web Store at chrome.google.com/webstore by clicking 'Flag as inappropriate'.
- Submit the malware sample to VirusTotal at virustotal.com.
- Report to the FTC at ReportFraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK).
Frequently asked questions
Does enabling two-factor authentication on Google protect against session cookie theft?
Standard 2FA does not prevent session cookie theft because the cookie represents a session that has already completed the 2FA step. Hardware security keys with the FIDO2 protocol provide stronger protection as they bind authentication to the genuine domain.
How do I revoke all active Google sessions at once?
Go to myaccount.google.com/security and scroll to 'Your devices'. Click on each device and select 'Sign out'. Alternatively, change your Google account password, which automatically signs out all devices except the one you are currently using.
My YouTube channel was hijacked via cookie theft. Can I recover it?
Yes. Regain access to your Google account first at accounts.google.com. Then go to support.google.com/youtube and report the channel compromise. YouTube has a dedicated process for channel recovery after account takeover.