New Zealand ranks 100th out of 253 countries, with 77.5 million leaked cookies — over 6 million of which are still active and tied to real user activity.
According to the latest research by cybersecurity company NordVPN, New Zealand has landed a troubling spot on the global leaderboard for leaked cookies, ranking 100th out of 253 countries. 77.5 million cookies linked to New Zealand users have been found on the dark web. (ref. https://nordvpn.com/blog/cookies-research/ )
Although cookies are commonly seen as helpful for improving online experiences, many don’t realize that hackers can exploit them to steal personal data and access secure systems.
“Cookies may seem harmless, but in the wrong hands, they’re digital keys to our most private information,” says Adrianus Warmenhoven, cybersecurity expert at NordVPN. “What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide.”
The hidden risk behind everyday browsing
Cookies are small text files that websites store on a user’s browser to remember preferences, login details, and browsing behavior. They play a vital role in making online experiences smoother, helping websites load faster, keeping shopping carts full, and allowing users to stay logged in across sessions. Without cookies, the convenience and personalization of the modern web would be severely limited.
However, as the digital landscape evolves, so does the misuse of these tools. Cybercriminals have learned to harvest cookies to hijack sessions, steal identities, and bypass security measures.
“Most people don’t realize that a stolen cookie can be just as dangerous as a password,” says Warmenhoven. “Once intercepted, a cookie can give hackers direct access to accounts and sensitive data, no login required.”
Millions of pieces of personal data exposed
NordVPN’s research reveals a massive malware operation that stole almost 94 billion cookies — a dramatic jump from 54 billion just a year ago, marking a 74% increase. Even more concerning, 20.55% of these cookies are still active, posing an ongoing risk to users’ online privacy. Most stolen cookies came from major platforms, including Google (4.5 billion), YouTube (1.33 billion), and over 1 billion each from Microsoft and Bing.
The growth is just as alarming when comparing personal data exposure over the past few years. In 2024, NordVPN identified 10.5 billion assigned IDs, 739 million session IDs, 154 million authentication tokens, and 37 million login credentials. In 2025, those numbers rose sharply, with 18 billion assigned IDs and 1.2 billion session IDs now exposed. These data types are critical for identifying users and securing their online accounts, making them highly valuable to cybercriminals.
The stolen information often included full names, email addresses, cities, passwords, and physical addresses — key personal data that can be used for identity theft, fraud, and unauthorized account access.
The data was harvested using 38 different types of malware, more than triple the 12 types identified last year. The most active strains were Redline (41.6 billion cookies), Vidar (10 billion), and LummaC2 (9 billion). These malware families are known for stealing login details, passwords, and other sensitive data.
Redline is a powerful infostealer that extracts saved passwords, cookies, and autofill data from browsers, giving hackers direct access to personal accounts.
Vidar works similarly but also downloads additional malware, making it a gateway to more complex attacks.
LummaC2 is particularly evasive, frequently updating its tactics to slip past antivirus tools and spread across systems undetected.
In addition to these known threats, researchers discovered 26 new types of malware not seen in 2024 — a sign of how quickly the cybercrime landscape is evolving. New entries like RisePro, Stealc, Nexus, and Rhadamanthys are especially dangerous. RisePro and Stealc are built to rapidly steal browser credentials and session data, while Nexus targets banking information using mobile emulation techniques. Rhadamanthys stands out with its stealthy design and ability to deploy follow-up malware, making it a multipurpose threat capable of causing extensive damage.
The stolen cookies came from users in 253 countries. New Zealand ranked 100th in total volume, with 7.78% of the cookies being active. However, that still represents over 6 million cookies tied to real user activity — a massive potential exposure.
“Even a small percentage of a huge dataset is massive,” says Warmenhoven. “That’s millions of people potentially exposed to cybercrime.”
Easy ways to protect your data from cyber threats
Stay vigilant online to protect yourself from the risks posed by data breaches and malware. Start by using strong, unique passwords for every account and enabling multifactor authentication (MFA) whenever possible. Additionally, be cautious about sharing personal information and avoid clicking on suspicious links or downloading unknown files.
Another crucial step is keeping your devices up to date. This can help block harmful malware before it can compromise your system. Regularly cleaning your site data is also essential. Many users don’t realize that active sessions may persist even after they close their browser. Clearing this data helps reduce the window of opportunity for unauthorized access. Lastly, always check the privacy settings on your online accounts to ensure you only share information with trusted services.
“Usually, people close the browser, but the session is still valid, and the cookie is still there. If you never clean that site data, that session will be valid for as long as the site owner deems it secure,” says Warmenhoven. “Taking basic precautions like using strong passwords, enabling MFA, and staying alert online can significantly reduce the risk of falling victim to cyberattacks. It’s a small investment of time that can protect you from big threats.”
Methodology
The data was analyzed by NordStellar, a threat exposure management platform. The research was conducted between April 23 and April 30. The researchers used data gathered from Telegram channels where hackers advertise what stolen information is available for sale. This led to a dataset of information about 93.76 billion cookies. Researchers analyzed whether the cookies were active or inactive, which malware was used to steal the cookies, which country they were from, as well as what data they contained concerning the company that made the cookie, the user’s OS, and keyword categories assigned to users. NordVPN did not buy stolen cookies, did not access the contents of the cookies, and only examined what types of data were contained within them.
ABOUT NORDVPN
NordVPN is the world’s most advanced VPN service provider, trusted by millions of internet users worldwide. The service offers features such as dedicated IP, Double VPN, and Onion Over VPN servers, which help to enhance online privacy with zero tracking. One of NordVPN’s key features is Threat Protection Pro, a tool that blocks malicious websites, trackers, and ads and scans downloads for malware. NordVPN is part of Nord Security, whose latest product is Saily, a global eSIM service. Known for its user-friendly design, NordVPN offers some of the best prices on the market and operates over 7,600 servers in 118 countries. For more information, visit nordvpn.com.