Google’s urgent security alert on December 10, 2025, revealed over 5,100 cases of account takeover fraud since January, with losses exceeding $262 million. The vulnerability stems from Chrome Sync, which centralizes passwords, payment details, addresses, and Google Pay data in one cloud-accessible repository, exposing users when credentials or session cookies are stolen.
Infostealer Malware Surge
Email-delivered infostealer malware rose 84% in 2024 over 2023, fueling automated credential theft. Variants like Lumma, RisePro, Vidar, and AgentTesla capture login details, financial information, and session cookies, which attackers sell on underground markets through malware-as-a-service subscriptions ranging from $100 monthly for basic variants like RedLine to $250-$1,000 for premium versions such as Lumma. IBM X-Force’s 2025 Threat Intelligence Index noted a 180% increase in such phishing-delivered malware in early 2025 compared to 2023.
Bypassing Multi-Factor Authentication
Stolen session cookies enable attackers to sidestep multi-factor authentication. Token theft accounts for 31% of documented MFA bypasses, according to analysis of breaches involving session cookie theft. These cookies, generated after successful login and MFA, allow reuse on other devices without passwords or codes. Google’s Senior Director of Product Management Andy Wen stated in July 2025 that phishing and credential theft drive 37% of Google account intrusions, with cookie and token theft rising exponentially.
Chrome Sync Vulnerabilities Exposed
Germany’s Federal Office for Information Security (BSI) tested ten password managers and found Chrome Password Manager allows Google access to synced passwords without a separate passphrase. BSI recommends enabling one. Chrome Sync consolidates sensitive data—banking logins, emails, non-Google sites, bookmarks, history, and tabs—into a single point of failure. SquareX researchers detailed “syncjacking” in January 2025, where malicious extensions hijack browsers via background logins, fake updates, and device control, including camera and audio access.
Google’s Defensive Measures
Google launched Device-Bound Session Credentials (DBSC) in open beta on July 30, 2025, binding sessions to devices via Trusted Platform Modules in 60% of Windows and Chrome setups. Stolen cookies fail without the device’s private key. For non-TPM devices, software fallback enhances security. Google Workspace’s September 2025 Shared Signals Framework beta enables real-time session revocation across platforms using OpenID standards.
User Protection Steps
Experts advise disabling Chrome Sync for passwords and payments via Settings > Sync and Google Services > Manage what you sync, and on mobile under Google Account > Sync. Clear prior data at chrome.google.com/sync. For continued sync, set a separate passphrase at chrome://settings/syncSetup with at least 15 characters. Adopt passkeys, which Google says are 40% faster, phishing-resistant, and easier for 64% of users. BSI-approved managers include 1Password, KeePassXC, KeePass2Android, Firefox Password Manager, and Avira. Disable Chrome’s auto-save and use FIDO2 keys like YubiKey over SMS or apps.
These steps counter an infostealer crisis driving 24% of 2024 cyber incidents per Huntress, with 104% detection growth. The FBI highlights social engineering via fake ads and phishing sites mimicking banks. As threats scale, implementing these protections limits exposure across digital ecosystems.
Sources:
Forbes: “Google Confirms ‘Account Takeovers’—Change This Chrome Setting Now” (December 2025)
FBI Internet Crime Complaint Center: Account Takeover Fraud Public Service Announcement (November 2025)
Google Workspace Security Blog: “Defending Against Account Takeovers from Today’s Top Threats: Passkeys and DBSC” (July 2025)
IBM: 2025 Threat Intelligence Index (April 2025)
Germany’s Federal Office for Information Security (BSI): Password Manager Security Testing Report and Recommendations (December 2025)
SquareX Security Research: Browser Syncjacking Attack Technical Disclosure (January 2025)