Simple tool tells whether websites suffered a data breach
Once the accounts were breached, researchers got in touch with the sites’ security teams to warn them of the breaches. They exchanged emails and phone calls. “I was heartened that the big sites we interacted with took us seriously,” Snoeren said.
Yet none of the websites chose to disclose to their customers the breach the researchers had uncovered. “I was somewhat surprised no one acted on our results,” Snoeren said.
The researchers decided not to name the companies in their study.
“The reality is that these companies didn’t volunteer to be part of this study,” Snoeren said. “By doing this, we’ve opened them up to huge financial and legal exposure. So we decided to put the onus on them to disclose.”
Interestingly, very few of the breached accounts were used to send spam once they became vulnerable. Instead, the hackers usually just monitored email traffic. DeBlasio speculates that the hackers were monitoring emails to harvest valuable information, such as bank and credit card accounts.
Researchers went a step further. They created at least two accounts per website. One account had an “easy” password—strings of seven-character words with their first letter capitalized and followed by a single digit. These kinds of passwords are usually the first passwords that hackers will guess. The other account had a “hard” password—random 10-character strings of numbers and letters, both in lower and upper case, without special characters.
Seeing which of the two accounts got breached allowed researchers to make a good guess about how websites store passwords. If both the easy and hard passwords were hacked, the website likely just stores passwords in plain text, contrary to typically-followed best practice. If only the account using the easy password was breached, the sites likely used a more sophisticated method for password storage: an algorithm that turns passwords into a random string of data—with random information added to those strings.
The computer scientists had a few pieces of advice for Internet users: don’t reuse passwords; use a password manager; and ask yourself how much you really need to disclose online.
“Websites ask for a lot of information,” Snoeren said. “Why do they need to know your mother’s real maiden name and the name of your dog?”
DeBlasio was less optimistic that these precautions would work.
“The truth of the matter is that your information is going to get out; and you’re not going to know that it got out,” he said.
Snoeren and colleagues are not planning to pursue further research on Tripwire.
“We hope to have impact through companies picking it up and using it themselves,” he said. “Any major email provider can provide this service.”
