It feels only natural that 2017 would be the year we experienced one of the worst security breaches of all time. The Equifax hack affected 145.5 million U.S. consumers, but what’s really shady is that the credit report company suffered another breach months before the one they disclosed in September. And trying to keep users in the dark for the sake of optics isn’t an uncommon move. It took Yahoo almost a year to inform the public that it wasn’t just a billion user accounts that were compromised. It was all of them.
My point is, when you sign up for an account online, your information is at the mercy of the service you joined, and you shouldn’t assume that every company will let you know they’ve suffered a security violation. But a prototype tool created by researchers from the University of California San Diego (UCSD) aims to bring greater transparency to such breaches. The system, called Tripwire, detects websites that were hacked, as is detailed in this study.
Here’s here how it works: To detect breaches, the researchers created a bot that automatically registered accounts on thousands of websites. Each of those accounts shared a password with a unique associated email address. Working with a “major email provider,” the researchers were then notified if there was a successful login on any of the email accounts. Since the email accounts were created for the study, any login was assumed to be the result of a security breach on the website associated with that account.
“While Tripwire can’t catch every data breach, it essentially has no false positives—everything it detects definitely corresponds to a data breach,” Joe DeBlasio, a Ph.D student of Jacobs School of Engineering at UCSD and an author on the research paper, told Gizmodo. “Tripwire triggering means that an attacker had access to data that wasn’t shared publicly.”
As part of the study, the researchers monitored over 2,300 sites from January 2015 through February of this year, and found that 19 of the sites (or one percent) had been compromised. The study notes that the system found “both plaintext and hashed-password breaches”—if your password is hashed, it is indecipherable to a hacker. Arguably the most damning finding of the study was that, at the time it was published, all but one of the compromised websites failed to notify their users that they had suffered a breach. Only one site told researchers they would force a password reset.
“The very clever and novel approach by UCSD researchers shows that such attacks may be occurring on a wider scale than previously known, and even worse, that the enterprises being breached may not even be aware of the intrusions,” computer security firm UpGuard CEO and Co-Founder Mike Baukes told Gizmodo.
While the researchers are unwilling to disclose the names of the websites (with the exception of bitcointalk.org, which publicly disclosed its breach in 2015), they did include some information about the nature of them in the study. They note “the most popular site compromised is a well-known American startup with more than 45 million active customers as of the quarter they were compromised.” According to the study, several people have griped about the breach on social media. The researchers note that they could find only one publication that covered the breach, which the company denied.
Other sites included a “large gaming-services company known within online gaming communities,” “a top-500 site in India” that reportedly has millions of app downloads as well over 60 million site visits a month, a porn site in Germany, and “a company with a large portfolio of travel recommendation websites” that reportedly has 40 million monthly views across its sites.
The researchers also reached out to all of the websites they found had been compromised, excluding the one that had already been publicized. “We disclosed our identities, methodology, and findings, and engaged with each site to the extent that they were willing,” the researchers wrote. Only six of the sites responded, one confirmed there was a breach that they had already known about, and some “acknowledged that security was not their highest priority.”
Baukes told Gizmodo that “password reuse attacks are a majorly overlooked vector for serious cybercrime, and can be as damaging as more vaunted methods of assault.” He pointed to the 2012 Dropbox hack where the details of more than 60 million user accounts were leaked on the dark web. The hacker was able to reuse an employee’s password from a LinkedIn breach to obtain information from the Dropbox network. Baukes said that the UCSD researchers’ system “is a welcome addition to the security community’s toolbelt and if adopted by independent organizations, could greatly enhance the accuracy and validity of data breaches detected in this manner.”