Their claim is logically dubious anyway. It’s not the cookies themselves but all the associated data that cookiesnlet big tech associate to profiles. This claim they are making about cookies are not associated with a breach is highly suspicious and not a good faith argument IMO. Even if they are not directly linked, cookies and tracking tools exist in a system and don’t exist in a vacuum. They are the tip of the spear. Sure the tip isn’t what kills you, but having the whole spear rammed through you sure does.
Well, it's hard to prove the absence of a negative - I think that it's on the people claiming harm to provide some examples. However, I'm not even sure what a cookie data leak would look like. The large advertising brokers are handling petabytes of cookie tracking data per day. To gain any insight out of it you need to run jobs on giant clusters. The volume of the data makes it basically impossible to exfiltrate. So yeah, I'm pretty confident in this statement.
> The large advertising brokers are handling petabytes of cookie tracking data per day.
Citation needed.
Also, you don't need a copy of every single byte that a tracking company collects; summaries are more than enough to be useful to track individuals across the internet.
> The volume of the data makes it basically impossible to exfiltrate.
An attacker doesn't need to try to exfiltrate a large fraction of collected data; only the data that's likely to be interesting to them.
See Facebook/Cambridge Analytica [1] for an example of just how incompetent a technically-sophisticated company can be when it comes to protecting their users' (and their own!) data from potential adversaries.
[1] In particular, the comments from Alex Stamos, the CSO who said “We have the threat profile of a [...] defense contractor, but we run our corporate networks [...] like a college campus" (from https://www.cnbc.com/2017/10/19/facebook-security-chief-alex... )