The Dark Side of Web Apps — Stolen Sessions, Credential Markets, Data Trade

Why "what happens after" matters

Knowing how attackers monetize stolen data shapes your defenses. If you understand that a breach leaks into specific marketplaces with specific buyer profiles, your incident response and threat intelligence work get sharper. This tutorial walks through the post-breach economy for web app data specifically — what's stolen, where it goes, who buys it, and how to monitor for your own exposure.

What gets stolen from web apps — and the resale value

Different data types follow different markets:

Credentials

• Username + password combos — sold in bulk as "combolists." €5-€100 per million records.
• Username + password + email — slightly more valuable. €50-€500 per million.
• Session tokens / JWTs / cookies — even more valuable when fresh, because they bypass MFA. €1-€50 per session, days to weeks of validity.
• OAuth tokens — long-lived, often broad-scoped. €10-€500 per token depending on what they access.

Personally Identifiable Information (PII)

• Email + name — bulk, low value. Used for phishing target lists. €5-€50 per million.
• Email + name + phone — better for vishing/smishing. €50-€500 per million.
• Full identity dossiers — name, DOB, address, government ID number, mother's maiden name. Used for synthetic identity fraud. €10-€100 per record.

Financial data

• Credit card numbers (CVV included) — "CC fullz." €5-€100 per card depending on freshness, country, and card type.
• Bank account credentials — €100-€2,000+ per account depending on balance and country.
• Stripe/PayPal API keys — sold per key, often via automated marketplaces. €100-€5,000.

Business data

• Customer lists from B2B SaaS — used for competitive intelligence or targeted phishing of those customers. Variable, sometimes high (€1k-€100k+ for valuable segments).
• Source code repositories — used to find more vulnerabilities, or sold to competitors. Variable.
• Internal documents, contracts, communications — leveraged for blackmail or sold to interested parties.

The marketplaces

Where stolen data gets sold:

Dark web markets (Tor-hosted)

Traditional marketplaces with reputation systems. Vendors and buyers anonymous to each other but accountable through escrow and reviews. Examples in the last decade: AlphaBay, Hansa, Hydra, Genesis Market, Russian Market.

• Major markets get taken down periodically; new ones replace them
• Specialize in different goods (drugs, credentials, financial, fraud kits)
• Have escrow, reputation systems, customer support

Telegram channels

Increasingly dominant for credential and access trade. Lower bar to participation than Tor. Channels with thousands of subscribers buying/selling/discussing in real time.

• Cheaper to operate than dark web markets
• Faster transactions
• Less protected — law enforcement can join channels
• Often used for "fresh" stolen data before it commoditizes

Specialized forums

Long-running boards (some 15+ years old) where higher-tier criminals meet. Examples: Exploit.in, XSS.is, Verified.

• More vetted membership
• Higher quality data, higher prices
• Used by IABs to advertise high-value accesses

Automated marketplaces

Some platforms automate the whole flow. Buyer searches for compromised accounts at a specific company, pays in crypto, gets credentials delivered automatically. Genesis Market (taken down 2023) was the most famous example. Successors continue to emerge.

What attackers do with web app session cookies specifically

This is worth a dedicated section because it's a common and underestimated attack vector.

How session theft works

1. Attacker compromises a user's browser or device — via malware, MITM on insecure network, or by stealing cookies from a backup
2. Exports session cookies for valuable sites (your SaaS, banking, cloud consoles)
3. Imports them into a fresh browser
4. Now logged in without needing the password OR the MFA code

Tools that automate this: "Cookie Cloner," various stealer malware (RedLine, Vidar, Raccoon), browser extensions sold for the purpose.

Why MFA doesn't help

MFA happens at login. Session cookies represent an already-authenticated session. Once issued, they're trusted until expiry. Attackers buy session cookies specifically to bypass MFA.

Defenses

• Short session lifetimes — 1-24 hours, not days/weeks. Forces fresh authentication.
• Re-auth for sensitive actions — even mid-session, require password re-entry for high-stakes operations.
• Session binding to client characteristics — IP, user agent, TLS fingerprint. Reject sessions when these change.
• Session activity anomaly detection — alert when a session is used from a new location in an unusual pattern.
• Token rotation — issue new session tokens periodically within a session, invalidate old ones.
• Logout = full revocation — server-side session invalidation, not just client-side cookie clearing.
• Step-up auth on sensitive endpoints — /admin/*, password change, payment method change all require fresh authentication.

Django specifics

# settings.py
SESSION_COOKIE_AGE = 60 * 60 * 8           # 8 hours
SESSION_EXPIRE_AT_BROWSER_CLOSE = True     # logout on browser close
SESSION_COOKIE_SECURE = True                # HTTPS only
SESSION_COOKIE_HTTPONLY = True              # No JS access
SESSION_COOKIE_SAMESITE = 'Strict'         # CSRF defense

# Force re-auth for admin actions
from django.contrib.auth.decorators import login_required
from django.contrib.auth.mixins import LoginRequiredMixin

def require_fresh_auth(max_age_seconds=600):
    """Require recent password verification within max_age_seconds."""
    def decorator(view_func):
        def wrapper(request, *args, **kwargs):
            last_auth = request.session.get('last_password_auth')
            if not last_auth or (time.time() - last_auth) > max_age_seconds:
                return redirect(f'/reauth/?next={request.path}')
            return view_func(request, *args, **kwargs)
        return wrapper
    return decorator

@require_fresh_auth(max_age_seconds=300)
def delete_account(request):
    ...

Threat intelligence — monitoring for your own data

If your app gets breached or your users' credentials get harvested elsewhere and tried against you, you want to know early.

Services to subscribe to

• HaveIBeenPwned — free, well-known. API for checking domains and email addresses.
• DeHashed, Constella, IntelX — paid services with broader coverage including non-public dumps.
• SpyCloud, Recorded Future, Flashpoint — enterprise threat intel platforms.
• Industry ISACs — sector-specific information sharing groups (FS-ISAC for finance, H-ISAC for healthcare, etc.).

What to monitor for

• Your domain in credential dumps (e.g., *@yourcompany.com appearing in new leaks)
• Your brand or product name in dark forum mentions (you're being targeted, planned attacks)
• IP addresses or infrastructure indicators that match your own
• Source code references — your unique strings, internal endpoint paths

Integrating monitoring into your stack

# Periodic check (cron job) — alert on new breaches of your domain
import requests

def check_pwned_domain(domain: str, api_key: str):
    headers = {"hibp-api-key": api_key}
    r = requests.get(
        f"https://haveibeenpwned.com/api/v3/breaches?domain={domain}",
        headers=headers,
        timeout=10,
    )
    r.raise_for_status()
    breaches = r.json()
    # Compare against last known list, alert on new ones
    return breaches

For HIBP's password check on user login (free, anonymous via k-anonymity), the implementation in tutorial 2 covers it.

What to do when you find your data on a dark web market

A genuine question many companies face. The wrong answer: try to buy it back. (You can't verify the data was deleted; you fund the criminal economy; you may be committing crimes yourself.)

The right responses:

1. Investigate the source. Where did this come from? Recent breach? Compromise of a partner? Insider exfil? You need to know to prevent recurrence.

2. Notify affected users. Within 72 hours per GDPR if personal data is involved. Honest, clear communication: what happened, what's at risk, what users should do.

3. Force password resets and revoke sessions. Even if passwords were hashed, assume worst-case. Invalidate any session/token issued before the breach.

4. Engage legal counsel. Notification requirements vary by jurisdiction and data type. Get advice early.

5. Engage law enforcement. Dutch NCSC, Politie Cybercrime Team, or sector regulators. They may have visibility into the seller or related cases.

6. Engage a DFIR firm if scope is unclear. Specialized firms (KPMG, Deloitte, Northwave NL, Fox-IT, smaller boutiques) handle investigation and stakeholder communication.

7. Post-incident review. What detection should have caught this earlier? What controls could have prevented it? Update your IR playbook.

Closing — the data-after-breach reality

Your users' data, once stolen, doesn't disappear. It circulates. It's sold. It's used in attacks against you and against unrelated services for years. The damage extends well beyond the initial breach.

That's why prevention matters so much. Detection-and-response is valuable, but the gap between "data stolen" and "first downstream attack" is often days, sometimes hours. By the time you're responding, the data is already in markets.

Prevention starts with the basics from tutorials 1-2. Detection (tutorial 10) catches what prevention misses. Both layers, both serious, both ongoing.