Hackers’ Hands Are In The Cookie Jar, But Blockchain Can Snap The Lid Shut

Cyber attackers are hijacking accounts using stolen session cookies and browser data, without even needing passwords. But blockchain-based identity systems can lock them out by ensuring that your credentials stay with you, not on some central server.

2 July 2025 6:00 AM IST

About a fortnight ago, cybersecurity researchers confirmed that over 16 billion login credentials were leaked and compiled into datasets online, giving criminals access to accounts consumers use each day.

The breach involved not only passwords but also browsing session cookies and personal metadata. What this means is that a hacker could impersonate a user across platforms, such as Google, Apple and Facebook, even without using passwords.

An interesting thing about this breach was that it did not result from a single hack. It was the result of years of malware silently stealing user data from phones and laptops, mostly through browser-stored passwords and cookies.

Without sounding alarming, it’s fair to say some of our data is already out there. It’s indeed a cause of concern, and if you're sweating bullets hearing this, you’re not at all overreacting.

With India’s growing dependence on digital services — UPI, Aadhaar and Web3 apps — this kind of breach does hit close to home.

So, how do we move forward?

Shift to Blockchain Identity

According to some experts, the solution to this problem could lie in moving away from passwords, and placing our faith in blockchain-based identity systems, where users, not companies, own and control their digital identities.

In the traditi...

About a fortnight ago, cybersecurity researchers confirmed that over 16 billion login credentials were leaked and compiled into datasets online, giving criminals access to accounts consumers use each day.

The breach involved not only passwords but also browsing session cookies and personal metadata. What this means is that a hacker could impersonate a user across platforms, such as Google, Apple and Facebook, even without using passwords.

An interesting thing about this breach was that it did not result from a single hack. It was the result of years of malware silently stealing user data from phones and laptops, mostly through browser-stored passwords and cookies.

Without sounding alarming, it’s fair to say some of our data is already out there. It’s indeed a cause of concern, and if you're sweating bullets hearing this, you’re not at all overreacting.

With India’s growing dependence on digital services — UPI, Aadhaar and Web3 apps — this kind of breach does hit close to home.

So, how do we move forward?

Shift to Blockchain Identity

According to some experts, the solution to this problem could lie in moving away from passwords, and placing our faith in blockchain-based identity systems, where users, not companies, own and control their digital identities.

In the traditional model, when you create a password for a website, it gets saved in an external database. If that database is breached, your digital credentials are exposed.

But a blockchain-based identity, available right now mostly for small businesses, works differently. You hold a private passkey, stored on your personal device. No one else has it, and no central authority keeps it on your behalf.

Services and websites then verify or authenticate you using the passkeys, but they never see your actual credentials.

Tech and crypto news platform CCN.com quotes Jesse Phillips, CEO of Trustware, a company focused on simplifying blockchain technology, as saying:

“Blockchain identity doesn’t solve everything, but it absolutely shuts down impersonation.”

How It Prevents Identity Theft

Mainly, by taking the central server out of the picture.

Because your credentials or passwords are no longer saved in a database, there’s nothing for hackers to steal. Even if a platform is breached, your personal data continues to be out of reach because your credentials are saved in your phone.

Apart from that, the blockchain-based identity, which authenticates and re-authenticates any log-in request using passkeys, will make it harder for hackers to continue an active session based on stolen cookies.

Victor Vernissage, co-founder of Humanode, a platform that uses biometric data to make online security more private, says that session hijacking attacks are worse because this type of breach “sidesteps all authentication layers including 2FA (two-factor authentication)”.

Vernissage also offers a solution: “Just verifying identity [at login] does not help here; we need stronger session verification.”

Blockchain systems could make re-verification mandatory for actions such as transferring funds or changing settings.

Also, biometrics could be used to establish whether it’s the same person continuing the session or an impersonator in possession of stolen credentials.

What India Should Do

With platforms like Aadhaar and UPI becoming part of daily life, there’s a need to explore sovereign identity systems where users store digital IDs on their own devices and share only what’s needed.

Here’s how we can start:

  • Encourage passkey logins authenticated by your phone’s biometric systems.
  • Keep biometric data on a personal device — not on blockchain or in central servers — to protect privacy.
  • Remind users to stay alert: never take screenshots of passkey codes, avoid clicking suspicious links, and use secure devices.

Final Words

The recent breach of 16 billion credentials did not just expose passwords, but also laid bare a vulnerable model of digital identity. It’s time we realised that digital security needs to be a few steps ahead of the sophistication of modern cyberattacks.

Blockchain could certainly help with that by giving us the tools to build a more secure system where users have greater control. Although it’s not yet widely deployed, it’s essential for a country like India, where digital growth is rapid and widespread.

We live in a time where stealing a session cookie is enough to steal your life online, and blockchain might be one of the most effective ways to ensure individual data protection.

Still, it needs to be kept in mind that blockchain won’t fix everything overnight. Once the control comes back to users, it would be their individual responsibilities to safeguard it.


This series is brought to you in partnership with Algorand.

Next Story
Share it