At its peak (March–August 2021), this channel had over 200,000 members. They posted fresh cookies every 30 minutes. The channel was finally nuked by Telegram in December 2021 after complaints from Disney+ legal.
Some cookies contained more than just a session ID. Poorly coded websites stored usernames, email addresses, and even partial payment data in cookies. Malicious actors would use these to perform "account takeover." premium account cookies 2021
In 2021, the term "Premium Account Cookies" referred to text files extracted from a legitimate user’s web browser after they logged into a premium service. These cookies, which contain session tokens, were subsequently exported into another user's browser. This action "spoofed" the legitimate user's identity, granting the unauthorized user full access to the premium account without requiring a username, password, or Two-Factor Authentication (2FA) code. At its peak (March–August 2021), this channel had
Unlike traditional credential stuffing (which uses username/password pairs), cookie spoofing utilized active session data. This made the attack harder to detect, as the traffic appeared to originate from a trusted, logged-in device. Some cookies contained more than just a session ID
By late 2021, major tech companies began aggressively countering the cookie-spoofing vector:
