Tens of millions of websites could be hacked each year, according to researchers in San Diego who have invented a new testing tool.
The team at UC San Diego’s Jacobs School of Engineering claimed that 1% of sites analyzed over an 18-month period by their new “Tripwire” tool were breached.
This was true of all sites irrespective of the size or reach, meaning visitors to 10 of the top 1000 most visited websites on the internet could be at risk.
“No one is above this — companies or nation states — it’s going to happen; it’s just a question of when,” said Alex Snoeren, the paper’s senior author.
Although the researchers didn’t name the compromised sites they found, they did inform the relevant security teams.
“I was heartened that the big sites we interacted with took us seriously. Yet none of the websites chose to disclose to their customers the breach the researchers had uncovered,” said Snoeren. “The reality is that these companies didn’t volunteer to be part of this study. By doing this, we’ve opened them up to huge financial and legal exposure.”
The Tripwire project worked by using a bot to create accounts with each site, linked to a unique email address. The same password was used for the email and website account.
The team then waited to see if a third party used that password to access the email account, indicating the website account information had been leaked.
To ensure the security breach was a result of issues on the website and not the email side, the team set up a control group of 100,000 email accounts created with the same provider but not linked to any website accounts.
They found none of these email accounts were accessed by malicious third parties.
In total, 19 of 2300 website-linked email accounts were hacked including an unnamed US start-up with 45 million active users, the researchers claimed.
Once they compromised the email accounts in question, the hackers usually didn’t hijack them to send spam but instead monitored email traffic — most likely looking for financial details.
The team advised users not to reuse passwords across multiple accounts, to minimize the amount of info handed over to websites and to use a password manager.
Earlier this week a huge database of 1.4 billion plain text breached credentials was uncovered by dark web analysts.