Google Workspace is launching a new security measure to help prevent the same type of account attacks that affected Linus Tech Tips. The feature, which is launching in beta for Chrome users on Windows, is designed to block attackers from remotely hijacking the cookies that allow you to log into your Workspace account.
Google calls this feature Device Bound Session Credentials (DBSC), and it does exactly what its name suggests: it protects users’ Workspace accounts by binding session cookies, temporary files that websites use to remember user information, to their devices.
This makes it more difficult for attackers to conduct session token hijacking attacks, which often occur when a victim downloads malware that steals information. From there, the attackers can steal the victim’s credentials to a remote server, allowing them to log into their account from another device or sell their credentials.
“Because this theft occurs after the user is logged in, it bypasses many existing account protections, such as 2FA [two-factor authentication],” Google spokesperson Ross Richendrfer tells The Verge. “Existing defenses against this type of attack are not very sophisticated, so it’s an easy target for attackers.”
In 2023, an attacker took over the Linus Tech Tips YouTube channel along with two other Linus Media Group accounts after an employee uploaded a fake sponsorship offer file that contained malware that stole cookies. This week, YouTube issued a warning about a similar scam in which creators uploaded fake offers from brands. YouTube is not the only platform that has suffered from cookie theft: last year, hackers hijacked several Chrome browser extensions, adding malware that steals session tokens for some websites.
Google says that there has been an “exponential increase” in cookie and authentication token theft over the past few years, and that this “trend has only intensified in 2025.” The company began working on DBSC last year and said that verification platform Okta, as well as browsers such as Microsoft Edge, have “expressed interest” in the concept. Along with DBSC, Google is recommending that Workspace administrators also enable passwords, which are now available to more than 11 million users.
