Google has named this security measure Device Bound Session Credentials (DBSC), which essentially secures Workspace accounts by binding session cookies to users’ devices.
This enhancement makes it challenging for cyber attackers to execute session token theft, a common tactic following the download of information-stealing malware. By preventing the exfiltration of login credentials to remote servers, attackers are hindered from unauthorized access or credential trading.
Google’s spokesperson, Ross Richendrfer, highlighted the vulnerability of current security measures against post-login theft, emphasizing the necessity for advanced protection mechanisms like DBSC. He mentioned that attackers find such exploits as easy targets due to the inadequacy of existing safeguards like two-factor authentication.
In 2023, Linus Tech Tips faced a breach when a malicious actor hijacked their YouTube channel and other Linus Media Group accounts through a fake sponsorship offer file containing cookie-stealing malware. Recently, YouTube warned creators about a similar scam involving fake brand deal downloads, underscoring the prevalent threat of cookie-based attacks across various platforms.
Google observed a significant surge in cookie and authentication token theft in recent years, with an intensified trend in 2025. The development of DBSC began last year to address this escalating concern, attracting interest from verification platform Okta and browser developers like Microsoft Edge. In addition to DBSC, Google advises Workspace administrators to activate passkeys, now accessible to millions of customers for enhanced security.
