HomeIdentity Security Encyclopedia › Token Theft

Token Theft

Token theft is an attack where an adversary steals a valid authentication or session token — such as a JWT, OAuth access token, or session cookie — and uses it to impersonate the legitimate user without needing their password or passing MFA.

IAM Attack Security OAuth

❓ What is Token Theft?

Token theft is an attack where an adversary steals a valid authentication or session token — such as a JWT, OAuth access token, or session cookie — and uses it to impersonate the legitimate user without needing their password or passing MFA.

⚙️ How Does It Work?

Tokens can be stolen via: adversary-in-the-middle (AiTM) phishing proxies, XSS attacks, malware, compromised endpoints, or insecure token storage. The stolen token is replayed from the attacker's environment, bypassing all credential-based controls.

📍 Where Is It Used?

Any environment using token-based authentication — web apps, APIs, SSO systems, cloud platforms.

💡 Real-World Example

A sophisticated phishing campaign uses an AiTM proxy (Evilginx2) to steal Office 365 OAuth tokens in real time as employees authenticate. Even with MFA, the tokens are valid for 1 hour. Attackers access email and OneDrive within seconds. Defense: implement Conditional Access with device binding and continuous access evaluation.

🔗 Related Terms

OAuth JWT MFA Conditional Access Phishing Zero Trust
← Stale AccountsUser Access Review →

Stay Ahead in Identity Security

Get weekly IAM, PAM & IGA insights delivered to your inbox via Identity Pulse.

Subscribe to Identity Pulse →
Scroll to top