Nice study, nice technique. The interesting part here is that they specifically did not release the cracked sites as the subjects did not volunteer to participate in the study. Would that more had similar ethics. Here's looking at you, Facebook. Jus' sayin'.
One per cent of all websites probably p0wned each year, say boffins
Researchers working on a technology to detect unannounced data breaches have found, to their dismay, that one per cent of the sites they monitored were hacked over the previous 18 months. University of California San Diego researcher Joe DeBlasio, who conducted the study under professor Alex Snoeren said the number was …
COMMENTS
-
-
Wednesday 13th December 2017 10:26 GMT Bronek Kozicki
Interesting technique
Create unique email address (i.e. the user name that is hard to guess even by brute force, as-if good password) and use easily guessable password for that one. Create another unique email address, but with a strong password. If first account was breached, that means the email leaked (or email + easy password hash). If second was breached, that means plain text password leaked. I would be interested if such monitoring of websites was standard and users were informed of results.
-
-
Wednesday 13th December 2017 19:25 GMT Anonymous Coward
What I don't understand
Why would someone who gets the passwords test them out by logging in with them? If the Reg was hacked, why would the hackers login with all of our accounts to test them? If you test a few you know they work, and testing them all would probably set off alarms with some. Plus it isn't like having control of a lot of accounts at a place like this is of any use to anyone.
Now if it was a bank or something, sure, then it would be something they'd test because they'd want to use them.
If they're really seeing 1% of their accounts get logged in to, the real percentage of compromised sites may be much higher!
As for the "well known American startup", that sure sounds a lot like Uber. Another "feather" in their cap...
-
Wednesday 13th December 2017 19:45 GMT Mark 85
Re: What I don't understand
Plus it isn't like having control of a lot of accounts at a place like this is of any use to anyone.
True up to a point but many people reuse their login names and passwords. So it's worth the time for the bad guys to test them, not just "here" but over "there" and "there".....
-
-
Friday 15th December 2017 21:01 GMT Michael Wojcik
Rounding down a bit, are we?
The title says "each year", but the article and the university's announcement both say the study determined nearly 1% were hacked over an 18-month period.
It's been a long year, figuratively, but I'm pretty sure chronologically it was the usual number of months.
Still, as others have said, it's a nice study and methodology. Nothing astounding but often the useful results aren't.