Session hijacking occurs when a cybercriminal gains unauthorised access to your active session with a website or online service. Once you log into your email, bank, or social media account, your device establishes a session with the server. This session is typically maintained via a session cookie or token. If an attacker intercepts or steals this identifier, they can use it to act as you without ever needing your actual password.
Common hijacking methods include:
- Network interception: Attackers on unsecured Wi-Fi networks capture unencrypted session data
- Cross-site scripting (XSS): Malicious code on a compromised website steals cookies from your browser
- Man-in-the-middle attacks: Someone positioned between you and a server intercepts your connection
- Malware: Software on your device reads session files directly
Why it matters: Once hijacked, attackers access your account without triggering password change alerts. They can send messages, make purchases, change settings, or steal sensitive data. You may not notice for hours or days. The damage is often more severe than a password breach because your normal security questions and recovery methods won't help an attacker already inside your session.
Reduce your risk by using HTTPS-only connections (look for the padlock icon), enabling two-factor authentication, avoiding public Wi-Fi for sensitive transactions, keeping your browser and antivirus software updated, and logging out of important accounts when finished. Banks and reputable services now use session timeouts and automatic re-authentication to limit exposure windows.