The Daily Swig Web security digest

Caught in a trap: Study indicates 1% of all websites hacked over past 18 months

James Walker | 15 December 2017 at 11:55

Tripwire bot highlights ‘terrifying’ scale of data breaches.

One out of every 100 websites have suffered a data breach over the past 18 months, regardless of the companies’ reach and audience, researchers have found.

The revelation comes after computer scientists at the University of California San Diego developed a simple tool designed to detect when websites are hacked by monitoring the activity of email accounts associated with them.

A newly published paper outlines the researchers’ creation of ‘Tripwire’ – a bot that registers and creates accounts on a large number of websites.

Each account is associated with a unique email address. The tool has been designed to use the same password for each account and the website account associated with that email.

Researchers then waited to see if an outside party used the password to access the email account. This would indicate that the website’s account information had been leaked.

Around 2,300 websites were included in the Tripwire study, and the researchers found that almost 1% of the websites they tested had suffered a data breach during their 18-month study period.

The computer scientists ultimately determined that 19 websites had been hacked, including a well-known American startup with more than 45 million active customers.

“No one is above this – companies or nation states – it’s going to happen; it’s just a question of when,” said Alex Snoeren, the paper’s senior author and a professor of computer science at the Jacobs School of Engineering at the University of California San Diego.

While 1% might not seem like much, given that there over a billion sites on the internet, this means tens of millions of websites could be breached every year, said Joe DeBlasio, one of Snoeren’s PhD students and the paper’s first author.

“One percent of the really big shops getting owned is terrifying,” DeBlasio stated.

Interestingly, the study showed that few of the breached accounts were used to send spam once they became vulnerable. DeBlasio speculates that the hackers were instead monitoring emails to harvest potentially valuable information, such as bank and credit card accounts.

Once the accounts were hacked, researchers contacted the sites’ security teams to warn them of the breaches.

In light of the study, the authors had a few pieces of advice for internet users: “Don’t reuse passwords, use a password manager, and ask yourself how much you really need to disclose online.”

The entire code for the Tripwire tool is now available on GitHub – although DeBlasio said he “highly discourages” anyone from actually trying to run it.