Philippines ranks 6th in leaked cookies, NordVPN says

Cybersecurity research from NordVPN has found almost 94 billion browser cookies leaked on the dark web, with the Philippines ranking sixth out of 255 countries after nearly 3 billion cookies tied to Filipino users appeared in the dataset, including 227 million still active.

NordVPN said the cookie haul reflects how hackers are increasingly exploiting everyday browsing data to access accounts and personal information, turning a tool designed for convenience into an avenue for fraud and identity theft.

“Cookies may seem harmless, but in the wrong hands, they’re digital keys to our most private information,” says Adrianus Warmenhoven, cybersecurity expert at NordVPN.

“What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide.”

Cookies are small text files stored in a browser to remember preferences, login details and browsing behavior, helping websites load faster, keep shopping carts active and allow users to stay logged in across sessions.

NordVPN said cybercriminals can harvest cookies to hijack sessions, steal identities and bypass security measures that typically rely on logins.

“Most people don’t realize that a stolen cookie can be just as dangerous as a password,” says Warmenhoven.

“Once intercepted, a cookie can give hackers direct access to accounts and sensitive data, no login required.”

NordVPN said the dataset indicates cookie theft has jumped from 54 billion to almost 94 billion in a year, which it described as a 74% increase.

The company said 20.55% of the stolen cookies in the dataset are still active, which it said increases the risk of ongoing account compromise.

NordVPN said the Philippines placed sixth globally by volume, and it reported that only 7.60% of cookies linked to the country were active, but that still equals about 227 million active cookies tied to real user activity.

“Even a small percentage of a huge dataset is massive,” says Warmenhoven.

“That’s hundreds of millions of people potentially exposed to cybercrime.”

NordVPN said the highest concentration of leaked cookies came from Brazil, India, Indonesia, the United States and Vietnam.

The company said major platforms accounted for large shares of the stolen cookies, including over 4.5 billion from Google, another 1.33 billion from YouTube, over 1.1 billion from Microsoft and about 1 billion from Bing.

NordVPN said the most common cookie categories were assigned ID at 18 billion and session ID at 1.2 billion, which it described as critical for maintaining sessions and identifying users on websites.

The company said personal information such as name, email address, city, password and address was frequently exposed in connection with the stolen-cookie ecosystem.

NordVPN said 38 types of malware were used to steal the cookies, with Redline collecting more than 41.6 billion, making it the most active infostealer in the dataset.

NordVPN said other major malware strains included Vidar with 10 billion cookies and LummaC2 with 9 billion cookies.

The company said the malware variety expanded sharply from 12 types identified last year to 38 types now, and it said researchers also found 26 new types of malware not seen in 2024.

NordVPN cited newer entries including RisePro, Stealc, Nexus and Rhadamanthys, and it said RisePro and Stealc are built to rapidly steal browser credentials and session data, Nexus targets banking information using mobile emulation techniques, and Rhadamanthys can deploy follow-up malware.

The report also compared exposure trends in specific data types, saying that in 2024 it identified 10.5 billion assigned IDs, 739 million session IDs, 154 million authentication tokens and 37 million login credentials.

NordVPN said those numbers rose in 2025, with 18 billion assigned IDs and 1.2 billion session IDs exposed.

To reduce risk, the company advised using strong, unique passwords, enabling multifactor authentication, avoiding suspicious links and unknown downloads, keeping devices updated, and regularly clearing site data to shorten the lifespan of active sessions.

“Usually, people close the browser, but the session is still valid, and the cookie is still there. If you never clean that site data, that session will be valid for as long as the site owner deems it secure,” says Warmenhoven.

“Taking basic precautions like using strong passwords, enabling MFA, and staying alert online can significantly reduce the risk of falling victim to cyberattacks. It’s a small investment of time that can protect you from big threats.”

NordVPN said the data was analyzed by NordStellar, a threat exposure management platform, and that the research was conducted between April 23 and April 30 using data gathered from Telegram channels where hackers advertise stolen information for sale.

The company said researchers analyzed whether cookies were active or inactive, which malware was used, which country they were from, and what data they contained about the company that made the cookie, the user’s operating system and keyword categories assigned to users.

NordVPN said it did not buy stolen cookies, did not access the contents of the cookies and only examined what types of data were contained within them.

NordVPN described itself as a VPN provider with features including dedicated IP, Double VPN and Onion Over VPN servers, and it said its Threat Protection Pro™ blocks malicious websites, trackers and ads and scans downloads for malware.

The company said it operates more than 7,600 servers covering 118 countries worldwide, and it noted that its parent company Nord Security has also launched Saily, a global eSIM service.