This article is more than 1 year old
One per cent of all websites probably p0wned each year, say boffins
Automated account-creator used bad passwords to detect when sites go bad
Researchers working on a technology to detect unannounced data breaches have found, to their dismay, that one per cent of the sites they monitored were hacked over the previous 18 months.
University of California San Diego researcher Joe DeBlasio, who conducted the study under professor Alex Snoeren said the number was shocking, because while one per cent doesn't seem like much, but it translates into “tens of millions” of breaches annually.
Moreover, he said, the research showed that “size doesn't matter” – popular sites are just as likely to suffer breaches as obscure outfits, and as the university's announcement noted, the a 1/100 hack rate means “out of the top-1000 most visited sites on the Internet, ten are likely to be hacked every year.”
The research was carried out using a tool DeBlasio created called Tripwire: a bot that registers and created accounts on more than 2,000 sites.
Tripwire created a unique e-mail address for each account and by following the bad practice of password re-use made it simple to discover if a third party used the password to access the account. If third party access was detected, this was counted as an indication that the site's account information had leaked.
A control group of 10,000 e-mail accounts on the same e-mail provider was left unused for registering other accounts, as a control group to demonstrate that the leaks didn't come from the e-mail provider.
DeBlasio and Snoeren notified the security teams at the 19 sites in their sample that had suffered breaches (they said those included “a well-known American startup with more than 45 million active users”).
As a second test of a site's security, they opened two accounts, one with an easy password, the other with a hard password. If both were breached, they reasoned, the site was storing passwords in plain text.
The source code for Tripwire is published at GitHub, with a caveat that you shouldn't try this at home. ®