The Hidden Threat After Login: Understanding Session Hijacking
You did everything right. You turned on multi-factor authentication (MFA). You use strong passwords. Maybe you even switched to passkeys. So how did an attacker still get into your email?
The answer is something called session hijacking, and it's one of the most common ways attackers break into accounts today โ even ones that are well protected. The good news: once you understand how it works, it's much easier to defend against. Let's walk through it simply.
First, What Is a "Session"?
When you log in to your email or any website, you don't have to re-enter your password every time you click a link. The website "remembers" you for a while.
It does this by handing your browser a small piece of data called a session token (often stored as a cookie). Think of it like a wristband you get at a concert. Once security checks your ticket at the door, they give you a wristband. After that, you can come and go freely โ nobody checks your ticket again, they just look at the wristband.
That wristband is your session token.
So What Is Session Hijacking?
Session hijacking is when an attacker steals your wristband.
They don't need your password. They don't need to pass your MFA check. They don't need your passkey. Because all of that happened at the door โ and the attacker is skipping the door entirely. They just grab the wristband and walk right in, and the website assumes they're you.
This is the key thing to understand: MFA and passkeys protect the login moment. Session hijacking happens after that moment has already passed.
Why This Is Becoming More Common
Here's the irony. As more people turn on MFA and passkeys, logging in has gotten much harder to attack directly. So attackers simply changed their target. Instead of trying to break the lock on the front door, they wait until you've opened it and steal the key you're holding.
Ready-made phishing kits have made this easy enough that even low-skill attackers can pull it off. That's why protecting just the login screen is no longer enough โ security has to cover your entire session.
How Attackers Steal Your Session
There are a few common methods. You don't need to memorize these, but recognizing the names helps.
Fake login pages that sit in the middle (AiTM). The attacker sends you to a convincing fake login page. When you type your details and pass MFA, the fake page quietly passes everything to the real website โ and catches the session token that comes back. You end up logged in and never notice anything wrong, but the attacker now has a copy of your wristband.
Malware that scrapes cookies. Some viruses are built specifically to dig through your browser, find saved session cookies, and send them to the attacker. The attacker loads those cookies into their own browser and is instantly "you."
Snooping on unsafe networks. On poorly secured or public Wi-Fi, an attacker positioned between you and the website can sometimes intercept the token as it travels.
Malicious scripts on websites (XSS). If a website has a security flaw, an attacker can sneak in a hidden script that reads your token and sends it to them.
How You Know It Might Be Happening
Stolen-token activity can look legitimate, but there are red flags:
- Impossible travel โ your account logs in from one country, then another far away minutes later.
- A device that doesn't match โ a session that started on your phone suddenly continues from an unfamiliar desktop.
- Surprise logouts โ you get kicked out of your session for no clear reason.
- Activity you didn't do โ emails sent, settings changed, or files accessed without your action.
How to Protect Yourself and Your Organization
The fix isn't one single thing โ it's layers. Here's what actually helps.
For individuals:
- Keep your devices free of malware with good security software, and don't install sketchy browser extensions.
- Be cautious about login links in emails and messages โ go to sites directly instead.
- Avoid logging in to sensitive accounts on public Wi-Fi unless you trust the connection.
- If something feels off, log out of all sessions and change your password.
For organizations:
- Use phishing-resistant login like passkeys/FIDO2. They won't stop a stolen token on their own, but they block the fake-login-page trick that's often the first step.
- Shorten session lifetimes. The faster a token expires, the smaller the window for an attacker to use it.
- Watch sessions continuously, not just at login. If the system spots a new device, a strange location, or odd behavior mid-session, it should re-check the user or end the session.
- Tie sessions to a device. This is one of the strongest defenses available. Configure your platforms so a session only works on the device it was created on โ that way, even if an attacker steals the token, it's useless on their machine. On Google Workspace, look for Device Bound Session Credentials (DBSC). On Microsoft 365, use Conditional Access with token protection and device-compliance requirements. The goal is the same: don't let an account sign in from just any device.
- Harden your cookies. Settings like HttpOnly, Secure, and SameSite reduce the ways tokens can be grabbed.
- Train your people. A team that recognizes phishing is your first and best line of defense.
If You Think an Account Has Been Hijacked
Act fast:
- End the session immediately and reset the session tokens.
- Log out every active session on the account.
- Tell the affected person and have them change their password.
- Find the root cause โ check for malware, identify how the token leaked, and close the gap.
- Notify the right people internally, and any authorities or affected parties if data was exposed.
The Bottom Line
MFA and passkeys are genuinely important โ keep using them. But they guard the front door, and session hijacking sneaks in through a window you left open after you walked inside.
Real security means protecting the whole visit, not just the entrance. Watch your sessions, keep your devices clean, expire tokens quickly, and stay alert to the warning signs. Do that, and you close the gap that attackers count on.
