Google Workspace is rolling out a security update to stop token stealing attacks

Google Workspace is launching a new security measure to help prevent the same type of account takeover attack that impacted Linus Tech Tips. The feature, which is rolling out in beta for Chrome users on Windows, is designed to block bad actors from remotely stealing the cookies that keep you logged in to your Workspace account.

Google calls the feature Device Bound Session Credentials (DBSC), and it does exactly what its name suggests: it protects users’ Workspace accounts by binding session cookies, the temporary files that websites use to remember user information, to their devices.

That makes it more difficult for attackers to carry out session token-stealing attacks, which often occur when a victim downloads information-stealing malware. From there, bad actors can exfiltrate a victim’s login credentials to a remote server, allowing them to sign in to their account from another device or sell their credentials.

“Because this theft occurs after a user has logged in, it bypasses many existing account protections like 2FA [two-factor authentication],” Google spokesperson Ross Richendrfer tells The Verge. “Existing protections for this type of attack aren’t very mature, so it’s low-hanging fruit for attackers.”

In 2023, a bad actor took over the YouTube channel for Linus Tech Tips, along with two other Linus Media Group accounts, after an employee downloaded a fake sponsorship offer file containing cookie-stealing malware. This week, YouTube issued a warning about a similar scam involving creators downloading phony brand deals. YouTube isn’t the only platform that we’ve seen impacted by cookie-stealing, either, as hackers hijacked several Chrome extensions last year, adding malware that exfiltrates session tokens for some websites.

Google says there’s been an “exponential rise” in cookie and authentication token theft over the past couple of years, and that this “trend has only intensified in 2025.” The company began working on DBSC last year, and said the verification platform Okta, as well as browsers like Microsoft Edge, have “expressed interest” in the concept. Along with DBSC, Google recommends that Workspace administrators enable passkeys as well, which is now available to over 11 million customers.