Browser credential theft is harvesting the passwords, cookies, and tokens a web browser stores on a compromised machine. Saved logins are encrypted with the OS user key (via DPAPI on Windows), so an attacker in the user’s context decrypts them; session cookies and tokens are even more valuable because they can let the attacker resume an authenticated session and bypass MFA. It turns one compromised endpoint into access to the user’s email, SaaS, and cloud accounts.
What browser credential theft is
Browsers store a lot of credential material to be convenient: saved passwords, session cookies, OAuth/refresh tokens, and autofill data. Saved passwords are encrypted with a key tied to the OS user (on Windows via DPAPI).
Browser credential theft is reading that store from a compromised user’s machine. Because the protection is tied to the user, an attacker already running as the user can decrypt it, and cookies and tokens often need no decryption to be reused.
The abuse and payload
From a compromised endpoint, the attacker collects the browser’s secrets:
- Saved passwords: read the browser’s credential database and decrypt with the user’s DPAPI key, yielding cleartext logins.
- Session cookies: copy auth cookies and replay them to resume the user’s logged-in sessions, which bypasses MFA because the session is already authenticated.
- Tokens: steal OAuth/refresh tokens for SaaS and cloud APIs.
Infostealer malware automates exactly this. Documented for defensive context.
How to defend
- Use phishing-resistant MFA and short session lifetimes so stolen cookies expire fast and are bound to the device where possible.
- Discourage saving passwords in browsers for privileged accounts; use a managed password manager.
- Limit local admin and enable [Credential Guard](/learn/active-directory/what-is-credential-guard) to make user-context theft harder.
- Deploy endpoint protection against infostealers and detect bulk browser-store access.
- Bind sessions to device posture (continuous access evaluation) where supported.