Session-Cookie Theft and Infostealer Malware Enable 2FA-Bypassing Account Takeovers

A growing class of account takeovers does not crack passwords at all: infostealer malware harvests valid browser session cookies and saved credentials, which can be replayed to sign in to services such as Reddit without triggering a fresh login prompt or two-factor challenge. Because servers treat a valid session token as proof of identity, stolen tokens can grant access even to accounts protected by 2FA, and the sessions often remain usable until explicitly revoked. Stealer families such as Lumma drove large volumes of credential and cookie theft across 2024 and 2025, with logs sold cheaply in bulk. Reddit users have reported takeovers despite having 2FA enabled, consistent with this session-hijacking pattern. Defenses include device hygiene, signing out of stale sessions and limiting saved-password exposure.