Your Employees Logged In Without Issue; Attackers Logged In Too.

Five Chrome extensions targeting Workday, NetSuite, and SAP SuccessFactors were caught stealing session cookies every 60 seconds and shipping them to attacker servers. No passwords needed. No MFA challenged. This is what credential monitoring misses, and what cookie monitoring catches.

In January 2026, cybersecurity firm Socket disclosed the discovery of five malicious Chrome extensions on the Chrome Web Store, each masquerading as productivity or security tools for enterprise HR and ERP platforms. The targets were specific: Workday, NetSuite, and SAP SuccessFactors, three of the most widely deployed enterprise platforms in the world.

The technique was precise. The extensions extracted authentication session cookies named ‘__session’ for each targeted domain on a 60-second loop, exfiltrating them continuously to command-and-control servers. Two of the extensions went further, blocking access to the security administration pages inside Workday that administrators would use to detect and respond to exactly this kind of incident, targeting session controls, authentication policies, and security proxy configuration pages specifically.

The result: attackers with a valid session cookie can import it into any browser and inherit a fully authenticated session. No login event fires. No MFA prompt appears. The application sees a legitimate user on a recognized session. The attacker has access to every system that session covers, immediately, silently, and without leaving the trace that a credential-based attack would.

This is not an edge case. It is the direction the entire threat landscape has been moving for two years.

Why Session Cookies Are the New Master Key

When a user authenticates to any web application, the application issues a session token, typically stored as a cookie, that represents the completed login. Every subsequent request the user makes, the application validates the token, not the credentials. This is how stateless HTTP enables persistent login: the token is the key card, not the password.

The attack implication is precise: if an attacker obtains the session token, they do not need the password or the MFA code. Authentication has already occurred. The session is valid. The attacker replays the token from their own browser and the application cannot distinguish them from the legitimate user.

This is why 90 billion browser cookies are currently circulating in cybercriminal marketplaces according to Constella’s data. Passwords have always been the primary target of the underground credential economy. Session cookies have now joined them, and in many ways they are more operationally dangerous. A stolen password requires the attacker to log in, triggering an MFA challenge, creating an authentication event, potentially triggering anomaly detection. A stolen session cookie requires none of that. The attacker is already past the gate.

Verizon’s 2025 DBIR found that credential abuse remains the most common initial access vector, involved in more than 20% of all breaches analyzed. What that figure does not fully capture is how frequently the credential in question was not a password, but a session token.

The Infostealer Pipeline Is How Most Cookies Get Stolen

The Chrome extension campaign represents one delivery mechanism. The more common one is infostealer malware.

Infostealers execute on a compromised device, silently harvest the entire browser cookie store alongside saved passwords, browser history, and system information, and exfiltrate the package to a threat actor’s collection infrastructure within minutes. The package is compressed, uploaded to a Telegram channel or dark web marketplace, and listed for sale. Constella processed 51.7 million such packages in 2025, a 72% year-over-year increase.

The key operational fact for security teams is this: an infostealer infection does not have to happen on a corporate device to expose corporate systems. Employees who use personal laptops to access Salesforce, Microsoft 365, Google Workspace, or any other corporate SaaS platform have browser cookies for those services sitting in their browser profile. An infostealer infection on that personal device harvests those cookies alongside everything else. The corporate IT team has no visibility into the infection, no EDR alert, no endpoint log. The first indication that anything is wrong may be an attacker using the harvested cookie to access the corporate CRM days or weeks later.

This is why traditional credential monitoring is insufficient. Credential monitoring scans for exposed passwords and email-password combinations. It cannot detect a session cookie that was stolen and is currently valid, because the cookie is not a credential in the traditional sense. It does not appear in breach dumps or password lists. It appears in infostealer packages, and it has a shelf life measured in hours or days before it expires or the user logs out.

The Four Controls That Were Supposed to Stop This

1. MFA. Multi-factor authentication protects the login event. It validates the identity of the person attempting to authenticate before issuing a session. It has no effect on what happens after the session is issued. An attacker who replays a stolen session cookie never triggers a login event and is therefore never challenged for a second factor. MFA does exactly what it was designed to do. It simply does not cover this attack vector.
2. Credential monitoring. Credential monitoring detects when employee passwords appear in breach dumps or infostealer packages. Session cookies are not passwords. They do not appear in the same locations, are not flagged by the same detection logic, and expire before credential monitoring tools would surface them in many cases. A program that monitors for exposed credentials without monitoring for exposed session tokens is not covering the attack surface.
3. Access controls and zero trust. Zero trust architectures verify identity before granting access. A valid session cookie passes that verification because it represents an already-verified identity. The session was issued after a successful authentication event. From the perspective of every access control system between the attacker and the corporate resource, the request is legitimate.
4. Endpoint detection and response. EDR protects managed corporate endpoints. Infostealer infections that harvest session cookies from personal devices, contractor laptops, and non-managed endpoints occur entirely outside EDR coverage. The stolen cookie is used to access corporate systems from a device that has no corporate agent installed. No alert fires.

The structural problem is that every one of these controls is designed to protect the authentication event. Session cookie theft occurs after that event and exploits the trust that authentication established.

What Cookie Monitoring Actually Does

Cookie monitoring is the continuous detection of active, authenticated session tokens belonging to an organization’s domains that have appeared in infostealer packages and underground channels.

The operational value is the detection window. Between when a session cookie is harvested and when it is used by an attacker, there is a period, measured in hours in most cases, where the session is still valid and the organization has the opportunity to invalidate it before it is abused. Cookie monitoring closes that window by surfacing the exposure while the session is still active and the attacker has not yet acted on it.

Constella’s cookie monitoring works in three stages:

1. Monitor. Constella continuously ingests infostealer packages from Telegram channels, dark web marketplaces, and underground forums across its data lake of more than 54.6 billion curated records. As packages are processed, session cookies associated with customer-provided domains are identified and flagged. New domains are enrolled via API, enabling rapid onboarding of the monitored domain surface.
2. Detect. When an active session cookie matching a monitored domain is identified, a daily notification surfaces the exposure with full context: which domain is affected, the specific cookie artifact, the source of the exposure, and the timeline. The detection is targeted to active cookies, not expired sessions, prioritizing the exposures that represent an immediate risk.
3. Respond. Security teams use the detection to trigger immediate session invalidation, force re-authentication for the affected accounts, and investigate the infostealer infection that produced the package. The pivot capability enables teams to retrieve the full infostealer package associated with a cookie exposure, surfacing the complete context of the compromise: which other accounts and credentials were harvested alongside the session token.

The Ticketmaster, Santander, and AT&T Pattern

The Snowflake campaign of 2024 and 2025 remains the most documented large-scale example of what session-based compromise looks like at enterprise scale. Infostealer-harvested credentials gave attackers access to Snowflake cloud environments across more than 160 organizations, including Ticketmaster, Santander Bank, and AT&T. The attackers did not exploit a vulnerability in Snowflake’s infrastructure. They logged in using valid credentials and session tokens harvested from infostealer infections on employee devices.

The pattern is consistent: the initial exposure is not the breach. The initial exposure is the infostealer infection that produces the package, the package that contains the session token, and the session token that produces authenticated access. The breach is the consequence. The session token was the mechanism.

Organizations that had cookie monitoring in place could have detected the exposed session tokens before they were used. Most did not have it.

What Security Teams Should Do Now

• Add session cookie exposure to your credential monitoring scope. The two are not the same problem and cannot be solved by the same tool. A credential monitoring program that does not include session token monitoring is covering half the attack surface.
• Extend monitoring to personal and contractor devices. Infostealer infections predominantly occur on devices outside corporate management. The monitoring program needs to reach the adversary ecosystem where those harvested cookies surface, not just corporate endpoints.
• Establish session invalidation as a response protocol. When a cookie exposure is detected, the response is not a password reset. It is immediate session invalidation for the affected account across all active sessions, followed by forced re-authentication. A password reset does not revoke a session that is already authenticated.
• Prioritize SaaS platforms with long session lifetimes. Not all sessions carry equal risk. Platforms that issue long-lived session tokens, particularly those with access to sensitive data or administrative functions, should be prioritized in both monitoring scope and response SLA. Corporate email, CRM, cloud infrastructure, and HR platforms are the highest-value targets.
• Audit Chrome extensions across your managed fleet. The Socket disclosure is a reminder that browser extensions represent a persistent, under-monitored attack surface. Extensions with broad host permissions, particularly those installed on enterprise HR and ERP platforms, should be reviewed and validated regularly.

Constella’s 10-Day Proof of Value

Constella offers a structured Proof of Value for cookie monitoring that moves from scope to results in ten days with zero long-term commitment.

• Day 1: scope review, NDA and evaluation agreements, domain and subdomain list provided by the customer.
• Days 2 through 8: Constella onboards the domains and collects findings for one week.
• Day 9: a two-hour workshop with the security team presenting results, demonstrating success criteria, and Q&A.
• Day 10: a one-hour evaluation with the project lead, after which all POV data is deleted.

The structure reflects the reality of how cookie monitoring value is demonstrated: not through theoretical explanation but through actual exposure findings against real organizational domains. If exposed session cookies are circulating in the adversary ecosystem for your organization’s platforms, the POV will find them.

Schedule a Demo or Start a POV

See how Constella’s cookie monitoring detects exposed session tokens for your domains before attackers act on them. Schedule a personalized demo or start a 10-day Proof of Value at constella.ai/request-a-demo/

Sources: BleepingComputer / Socket (January 17, 2026) — Chrome extensions targeting Workday, NetSuite, SAP SuccessFactors. Verizon 2025 Data Breach Investigations Report. FBI IC3 2025 Internet Crime Report. Statistics: Constella Intelligence 2026 Identity Breach Report.