Multi-factor authentication is important.
Every company should use it.
But data breach monitoring has exposed a dangerous truth. MFA alone does not protect a company from modern identity-based attacks.
Many companies assume that once MFA is enabled, stolen credentials are no longer a serious risk. That assumption is wrong.
MFA can stop many attacks, but it does not stop every path into an account. Modern attackers no longer rely only on usernames and passwords. They use infostealers, stolen session cookies, and authentication tokens to get around the login process completely.
That means a company can have MFA everywhere and still be exposed.
MFA protects the login, not every session
MFA is designed to strengthen authentication.
When a user logs in, they need something beyond a password. That might be a code, a push approval, a hardware key, or a passkey.
This makes phishing and password reuse harder for attackers.
But MFA usually protects the login moment. It does not automatically protect every active session after login.
Once a user successfully logs in, the application often creates a session. That session is stored in the browser using cookies or tokens. These session artifacts tell the application, “this user is already authenticated.”
Attackers know this.
Instead of trying to beat MFA directly, they often try to steal the session itself.
What are infostealers?
Infostealers are a type of malware built to steal data from infected devices.
They are not rare or primitive. They are sold like commercial software, with dashboards, subscription plans, support channels, and feature updates. Lunar’s research describes infostealers as an industrial-scale operation, with families such as LummaC2, Rhadamanthys, RedLine, Vidar, and Acreed collecting credentials, cookies, tokens, and device fingerprints at scale.
A user can get infected through a fake browser update, a cracked application, a malicious ad, a rogue browser extension, a fake CAPTCHA, or a compromised open-source package.
Once installed, the infostealer quietly collects sensitive data from the browser and the device.
This can include:
Passwords
Saved browser logins
Session cookies
Authentication tokens
Autofill data
VPN credentials
Messaging tokens
Crypto wallets
Device identifiers
Malware family and infection metadata
The attacker then packages this data into a stealer log and sells or shares it through underground markets, Telegram channels, and forums.
The company may never see a direct attack on its infrastructure. The compromise can happen on an employee’s personal laptop, a contractor’s device, or an unmanaged machine used to access business applications.
Why session cookies are so dangerous
A session cookie is what keeps a user logged in after authentication.
When you open a SaaS application and do not need to log in again, a session cookie is usually part of the reason.
That is convenient for users.
It is also valuable for attackers.
If an attacker steals a valid session cookie, they may be able to load it into their own browser and appear as the already authenticated user. In that case, the attacker may not need the password. They may not trigger an MFA challenge. They may not even create the kind of suspicious login event that security teams expect to see.
Lunar’s research states this clearly. Modern infostealers can bypass MFA by stealing cookies and session tokens. When attackers load a stolen session cookie into their own browser, they can often gain access without a login page, password prompt, MFA challenge, or obvious authentication trace.
This is the core problem.
MFA can be working exactly as designed, and the attacker can still get in.
The false sense of security
Many companies believe they are protected because MFA is widely deployed.
The data shows why this confidence is risky.
According to Lunar’s report, 78% of organizations have MFA enabled on nearly all or most critical accounts. Another 15% cover some critical systems. Yet 42.9% of respondents say they are very confident that MFA largely solves the credential theft problem.
That confidence does not match the threat.
The same report found that 72% of organizations are aware of session-token theft and cookie-based MFA bypass. But only 37% monitor for exposed credentials daily or weekly. Monthly or occasional checks leave a large window for attackers to act.
This is the fallacy.
Knowing about MFA bypass is not the same as defending against it.
How a breach can happen even with MFA
A typical attack can look like this.
An employee installs a fake update on a personal device.
An infostealer runs in the background.
It collects saved credentials, browser cookies, and session tokens.
The stolen log is uploaded to a Telegram channel or underground marketplace.
An attacker buys the log.
The attacker uses the stolen session cookie to access a business application.
There is no normal login.
There is no password prompt.
There is no MFA challenge.
The attacker is now inside the account.
From there, they can read data, change settings, access cloud services, move laterally, or prepare a larger attack.
This is why MFA should be treated as one layer of defense, not the whole defense.
Password resets are not always enough
When a company discovers exposed credentials, the usual response is to reset the password.
That is useful.
But it may not be enough.
If the attacker has an active session cookie, changing the password may not immediately invalidate every active session. The attacker may still have access until the session expires or is explicitly revoked.
That is why breach response must include session invalidation.
Security teams need to know whether a compromise includes only a password, or whether it also includes session cookies and tokens. The response should be different.
For a leaked password, reset the password.
For a leaked session, revoke the session.
For an infected device, investigate the endpoint.
For a privileged account, escalate immediately.
For a customer or external user, trigger a risk-based workflow.
This requires more than generic breach monitoring.
It requires context.
Why traditional breach monitoring is not enough
Old breach monitoring was mostly about finding emails and passwords in leaked databases.
That still matters.
But modern identity attacks are faster and more complex.
Lunar’s 2025 report observed more than 4.16 billion stolen-credential records across infostealer logs and related sources. It also found that logs move constantly through Telegram channels, marketplaces, and forums. Monthly or ad hoc checks often detect exposures after attackers have had time to act.
Traditional tools often miss the most important details.
Was the credential stolen by infostealer malware?
Was the affected device corporate or personal?
Was a session cookie included?
Which application was exposed?
Is the affected account privileged?
Should the company reset a password, revoke a session, or investigate a device?
Without that context, teams either move too slowly or chase too much noise.
How Lunar helps companies protect themselves for free
Lunar was built for this exact problem.
It gives companies free visibility into exposure connected to their verified domains. The platform monitors infostealer logs, database breaches, combo lists, and leaked cookies and sessions, then brings relevant findings into a single events feed.
The idea is simple.
If data connected to your organization is compromised, you should know.
Lunar gives companies access to breach visibility at no cost. There are no trials, contracts, or hidden requirements for seeing exposure tied to a verified domain.
This matters because many companies do not have large security teams or expensive threat intelligence budgets. Smaller companies face the same infostealer risk as enterprises, but often have fewer tools to detect it.
Lunar changes that.
Free session cookie monitoring
One of Lunar’s most important capabilities is cookie monitoring.
Lunar monitors leaked session cookies tied to company assets and helps teams identify high-risk stolen session data. This allows organizations to invalidate exposed sessions before attackers use them.
This is not just another breach alert.
It is visibility into one of the main ways attackers bypass MFA.
Lunar’s cookie monitoring helps teams:
See which active sessions may be exposed
Connect leaked cookies to users and applications
Focus on high-risk session artifacts
Assess exposure using context such as domains, timestamps, and device indicators
Decide whether to expire sessions, require step-up authentication, or take stronger action
Feed alerts into SIEM, SOAR, and incident response workflows
Lunar makes this capability available to both community and Pro customers.
Lunar adds the context teams need
A list of leaked emails is not enough.
Security teams need to know what happened and what to do next.
Lunar provides forensic context such as malware paths, hardware IDs, malware families, and stolen session data. This helps analysts decide whether an exposure is real, urgent, and connected to a device or user that matters.
This context turns breach monitoring into a response workflow.
Instead of asking, “Was this email leaked?”, the security team can ask better questions.
Was this tied to an infostealer?
Was a session stolen?
Was the device infected?
Is this a high-value account?
Can we revoke access now?
Do we need to investigate the endpoint?
That is how companies reduce the time between exposure and response.
MFA is still necessary, but it is not sufficient
The lesson is not to remove MFA.
The lesson is to stop treating MFA as the final answer.
A strong security program should include MFA, but it should also monitor for the ways attackers bypass MFA.
That means watching for stolen credentials, stolen cookies, stolen session tokens, and infostealer logs. It means connecting external exposure to internal identity systems. It means revoking sessions when sessions are exposed. It means investigating infected devices, not only resetting passwords.
MFA protects the front door.
Infostealers steal the keys after the user is already inside.
Lunar helps companies see when those keys are being traded.
The bottom line
The belief that MFA alone will protect a company from a data breach is a dangerous fallacy.
MFA reduces risk, but it does not eliminate stolen credential risk. It does not stop infostealers from collecting browser data. It does not automatically invalidate stolen session cookies. It does not tell a company when its users’ access is being sold in underground markets.
Modern breach prevention needs visibility beyond the login screen.
Lunar gives companies that visibility for free.
It helps them detect exposed credentials, infostealer logs, leaked cookies, and compromised sessions tied to their verified domains. It helps them understand what is exposed, why it matters, and what action to take.
In a world where attackers can bypass MFA by stealing sessions, the companies that win will be the ones that see exposure early and respond fast.