US researchers develop tool to detect website data breaches

Tens of millions of websites are compromised every year

One per cent of websites globally are compromised every year, according to researchers at the Jacobs School of Engineering in the University of California San Diego - a number that equates to tens of millions of websites.

However, the computer scientists claim to have developed a tool that can detect whether a website has been compromised just by monitoring associated email accounts.

"No one is above this - companies or nation states - it's going to happen; it's just a question of when," said Alex C. Snoeren, senior author of the paper and a professor of computer science at the Jacobs School of Engineering.

None of the websites chose to tell their customers about the breaches

Although one per cent may not seem much, there are more than a billion websites on the internet, so this means tens of millions of websites are successfully attacked every year.

Joe DeBlasio, a PhD student and one of the paper's authors, claimed that popular websites are as much targets for hackers as little-visited ones.

He found that out of the top 1,000 most visited sites, ten are hacked every year. "One per cent of the really big shops getting owned is terrifying," said DeBlasio.

Last month, the researchers demonstrated their tool at the ACM Internet Measurement Conference in London. They described the concept as being "relatively simple".

The bot, designed by DeBlasio, registers and creates accounts across a database of websites. Around 2,300 websites were included in the study, and each account was linked to a unique email address.

The tool created the same password for the email account and website backend, and researchers then waited to see if a crook used the password for either account - indicating that information had been breached.

At the end of their study, the researchers detected 19 hacked websites - with one belonging to a US-based startup with more than 45 million active customers.

Once the accounts were hacked, the researchers contacted the sites' security teams by phone and email. "I was heartened that the big sites we interacted with took us seriously," said Snoeren.

However, none of the websites chose to tell their customers about the breaches. "I was somewhat surprised no one acted on our results," Snoeren said.

"The reality is that these companies didn't volunteer to be part of this study," Snoeren said. "By doing this, we've opened them up to huge financial and legal exposure. So we decided to put the onus on them to disclose."