New Hacking Threat Could Steal Your Accounts And Passwords - Even Through 2FA

Researchers from cybersecurity firm Varonis have discovered an infostealer that collects browser credentials, including accounts and passwords, session cookies, and crypto wallets. An infostealer is a form of malware designed to gather sensitive data and send it to a remote attacker. If that data is decrypted, the attacker can utilize it. Information stealers have been around since the mid-2000s, but this new strain, called Storm, employs a unique method that even allows attackers to access Google account tokens, two-factor authentication codes, and more.

Conventional information-stealing malware is one of the most common ways passwords are stolen and does most of the work locally, on a user's infected machine. They load compromised SQLite libraries, an embedded database engine that helps applications run, and then access stored account information that way. It's common and easily detectable by endpoint security tools. Google changed this when it introduced something called App-Bound Encryption in Chrome 127 in July 2024. As Varonis explains, encryption keys were tied to the Chrome browser, which "made local decryption even harder."

Malware grew more sophisticated as a result, but the "first wave" of upgrades injected malicious code into Chrome or took advantage of its debugging protocols. It still left detectable traces for security tools. Enter Storm. Now, locally collected data — still encrypted — is sent to a proprietary infrastructure. After a machine is infected, attackers collect what they need to restore hijacked sessions remotely. Saved passwords, session cookies, form autofill data, Google account tokens, credit card data, browsing histories, and even documents from user directories and popular apps are all gathered. Also, because data is decrypted server-side, Storm is undetectable by many endpoint security tools.

Storm "handles" both Chromium and Gecko-based browsers, like Firefox or Pale Moon, server-side. That means the information is sent to a remote server, allowing the attacker to essentially remain hidden from endpoint tools, which are designed to detect conventional forms of on-device decryption. Because the stolen data is being routed through servers and platforms the attackers manage, they're effectively protected from takedown attempts.

Storm also automates part of the logging process after decryption, making it easier to reference a victim's authenticated session. This is all a gross oversimplification, of course, to keep the information more digestible, but Storm is a highly advanced form of infostealer that can collect information that most malware tools cannot. It's not just a clever social engineering hack or a typosquatting trick hackers use to steal sensitive information. Moreover, it makes the decryption process much faster.

Varonis says Storm is available for less than $1,000 per month, making it fairly accessible to remote attackers. The firm also discovered many instances of it being used to steal financial, social media, and cryptocurrency credentials across multiple countries, including the U.S. Key defenses for the average user include clearing browser cookies regularly — set it to happen on a schedule if possible — avoiding suspicious downloads and websites, using password management tools like Bitwarden, and finally, keeping all your security tools up to date and scanning regularly. Hackers are turning AI into a super weapon to build malicious code, so there's no such thing as being overprotective.