Multifactor authentication (MFA) is considered a core element of the modern security stack. MFA greatly reduces the threat of unauthorized access due to compromised credentials, but cybercriminals can bypass MFA using a tactic known as token theft.
After a user successfully logs into a service, the app or browser issues a session token. That bit of digital information tells the app that the user has been authenticated and doesn’t need to log in again during that session. Think of tokens as temporary “digital keys” that grant users access to their accounts.
By stealing a token, an attacker can impersonate a legitimate user and bypass security measures such as passwords and MFA. Token theft is particularly dangerous because it subverts modern security measures that are designed to protect against unauthorized access.
Developers should take steps to secure tokens and manage them effectively. Organizations should implement tools to detect and block attacks and train users to follow best practices to prevent token theft.
How Do Attackers Steal Tokens?
Phishing is the primary method used to steal session tokens. Adversary-in-the-Middle (AiTM) phishing attacks use fake login pages that sit between the user and the real service and capture the user’s login details and MFA code. The spoofed site then passes the credentials to the legitimate service to get a valid session token. The attacker intercepts this token and uses it to hijack the user’s session.
With Man-in-the-Middle (MitM) attacks, the hacker intercepts network traffic between a user’s device and a cloud-based service, allowing the hacker to capture session tokens that are exchanged during the login process. This is a common risk on unsecured public Wi-Fi networks.
In some cases, malicious software is installed on a device to scrape browser cookies and other local storage for active session tokens. Attackers can also exploit weaknesses in software or applications to gain access to and steal tokens.
Why Is Token Theft a Serious Threat?
Token theft renders MFA useless, as the attacker doesn’t need to go through the authentication process. The stolen session token proves that the user has already successfully authenticated by entering the correct password and MFA code. Token theft also enables persistent access. An attacker can maintain unauthorized access to an account for an extended period, even if the victim changes their password.
Because the attacker is using a legitimate, stolen token, their activity can appear normal, making it difficult to detect. Once an attacker has gained access to a user’s account, they can use that access to move laterally within a network, escalate privileges or create persistent backdoors.
Attackers can use stolen tokens to exfiltrate sensitive data. Compromised accounts, especially those belonging to executives or finance personnel, can be used to initiate fraudulent transactions or wire transfers. Attackers can also impersonate legitimate users to send malicious emails to other employees or partners, further spreading the attack.
Techniques for Reducing the Risk of Token Theft
To reduce the risk of token theft, developers should give access tokens a short lifespan, minimizing the time attackers can use them. Longer-lived refresh tokens should be used for session persistence. After a refresh token is issued, the previous token should be revoked. Tokens should also be explicitly revoked when the user logs out.
Refresh tokens should be stored securely on the server and not in local or session storage, which is vulnerable to cross-site scripting attacks. Tokens can be encrypted and stored in cookies to add another layer of protection. For mobile apps, tokens can be stored in the device’s secure storage, which is more secure than local app storage.
Organizations should use conditional access policies to restrict access based on user identity, device compliance and network location. They should also implement monitoring and logging to detect unusual sign-in activity. Security awareness training should educate users on how to recognize phishing attempts and other tactics used to steal tokens.
How Technologent Can Help
Token theft was responsible for 31 percent of breaches targeting Microsoft 365 instances in 2025, according to the Verizon 2025 Data Breach Investigations Report. Technologent’s cybersecurity experts can help you develop a layered security strategy and implement tools such as phishing-resistant MFA to reduce the risk of token theft.
Comments