Session hijacking is when an attacker gains access to an account by stealing or reusing an authenticated session (for example a cookie or token), rather than guessing the password.
It is one reason people say, "I changed my password but they still have access."
Why it matters for account recovery
Session hijacking matters because recovery often requires explicit session invalidation. If you only rotate a password, an attacker with an existing session can sometimes stay logged in.
It also changes device triage. If a session was stolen, you need to consider infostealers, malicious browser extensions, and unsafe device states.
Common failure modes and misconceptions
- Not ending sessions: Many services support a global sign-out or session revoke. If you skip it, you can leave the attacker in place.
- Reinfected device: If the device is compromised, new sessions will be stolen again.
- OAuth persistence confusion: Connected apps can create access that looks like session persistence. Review OAuth permissions.
Safe best practices
- Use global sign-out features and remove unknown devices from account sessions.
- Change passwords from a trusted device, then rotate recovery methods as needed.
- Review browser extensions and installed apps if you suspect token theft.
Related terms
Related guides
Session hijacking is an access problem, not a password problem. Recovery works when you cut off sessions and fix the device and identity surfaces that created them.