No matter how large, and safe and company or business may be, their websites are at the same risk for hackers. Breaches, however, can be extremely hard to detect even with monitors for such activity. Alex C. Snoeren, a professor of computer science, said "No one is above this -- companies or nation states -- it's going to happen; it's just a question of when.”
During the tools first 18 months in use, it already detected data breaches on the websites it tested. Granted only 1% of websites tested had been found to be hacked, but that means that 1% of those websites are now safe from the possible consequences that may have followed from being hacked. This also means that if the tool was used for every single website on the internet, then proportionately 1% of the billions upon billions of websites would be found to have been breached before it was too late.
The data the team collected showed that the risk for breach was even between popular and unpopular, as well as large and small websites. This can seem very scary especially for people who like to online shop. The website you shop on may seem very secure since it is widely used but it is just as insecure as the sketchy unpopular websites.
The tool, known as Tripwire, is meant to register accounts on various websites using a unique email address for each. Tripwire uses the same password for the account on the website and for the corresponding email address. The researchers would then wait and see if a third party used the email account. If an outside party did happen to use the Tripwire’s email, then the account information on the website had been leaked meaning someone, or a group of people, had breached the website thus exposing data.
The team realized that an outside party could have just hacked the email, rather than breaching the website to get the email so a solution was made in order to differentiate the two possibilities. A control group was created, meaning that approximately 10,000 emails (of the same email provider) were created. These emails, however, were not used to register for any website account. None of these email accounts were found to be hacked, thus any party that gained access to the email accounts, did it through the website not the email provider.
After the trial run involving around 2,300 websites was over, about 19 websites were found to have been hacked. One of these breached websites was a well-known America-based start-up with approximately 43 million customers which is not named in the study for privacy reasons. Better be glad they caught that one.
Once the scientists found that a website was indeed hacked, they got in touch with the business in order to inform them of the issue. Most of the websites did not disclose the breach with any of their customers which is because the websites did not actually volunteer to be in the study thus they were not obligated to do so. "I was somewhat surprised no one acted on our results," Snoeren, a member of the development team, told.
The computer scientists did have a few wise words for the internet users of the world following their study: do not reuse passwords; do not give away too much information about yourself online; and use a password manager so you don’t forget your passwords and need to be emailed a new one.