FBI Issues Urgent Alert: Hackers Bypass Multi-Factor Authentication to Access Email Accounts

The FBI has issued a new alert warning that cybercriminals are finding ways to infiltrate email accounts secured with multi-factor authentication (MFA), including popular services like Gmail, Outlook, AOL, and Yahoo. Attackers reportedly employ tactics that trick users into clicking on phishing links or visiting suspicious websites that install malicious software.

A primary strategy used in these attacks is “cookie theft.” Unlike tracking cookies that store browsing information, these “session” or “remember me” cookies retain login credentials to simplify future access. If cybercriminals capture these cookies, they can access accounts without needing usernames, passwords, or even MFA codes.

According to the FBI and Google, any email service with web-based login options may be at risk of cookie-based attacks. However, Gmail, Outlook, Yahoo, and AOL users are particularly vulnerable. While some financial websites have implemented extra layers of security, email services remain highly targeted.

Google acknowledges that session cookies are integral to a seamless web experience, yet they have become an attractive target for hackers. When users select the “Remember this device” option, a session cookie is generated, potentially allowing unauthorized access if stolen. Google is actively developing new protections to link cookies to specific devices, which would render stolen cookies useless, though these measures are still in the works.

To help protect against these risks, the FBI advises users to regularly clear their cookies, use caution with “Remember Me” options, avoid suspicious links, and periodically review their account login histories. The FBI also encourages victims of cybercrime to report incidents through its Internet Crime Complaint Center (IC3).

Despite the challenges surrounding MFA breaches, the FBI stresses that MFA remains a strong security measure, with any form of MFA being better than none. However, passkeys—credentials tied to a secure device like a physical security key—provide an even stronger defense. Awareness of passkeys has been rising, growing from 39% in 2022 to 57% in 2024, according to the FIDO Alliance. Passkeys enhance security by requiring access to a user’s secure device, making unauthorized access much more difficult.

The FIDO Alliance report also reveals that 42% of users, particularly younger individuals, abandon purchases due to forgotten passwords. Passkeys offer a simplified alternative, often linked with biometric security, reducing reliance on traditional passwords.

To promote the adoption of passkeys among businesses, the FIDO Alliance has introduced draft specifications to facilitate transferring credentials across platforms, aiming to lessen the dependency on passwords and enhance security for both individuals and organizations. This initiative seeks to make passkeys a universal standard, addressing one of the biggest vulnerabilities in online security today.