According to new study, there are several previously unknown trackers that can detect passwords.


You have data out there if you participate in society in any way, and it's more than what you believe you've put out there. It's the same on the web, and no settings change can help you restore everything. Some websites follow up on customers who start but don't finish a subscription by capturing their email address — and maybe their password as well — and sending them reminders or other spammy communications. They're annoying, but they're a part of life in the United States, according to a new whitepaper, even more so than in Europe.

The researchers used a crawler to fill in email and password information on the internet's top 100,000 sites from U.S. and E.U. IP addresses, then ran dragnets on any trackers that took the bait, according to the study, which was published by the USENIX Association and forwarded to us by ghacks.net. All of the runs took place in May and June of last year.

From a proportionate standpoint, the top-line data are merely encouraging: on desktop, 1,844 sites in the EU crawls passed on addresses to third parties such as trackers, analyzers, and marketers, compared to 2,950 sites in the US crawls; mobile findings were comparable at 1,745 and 2,744, respectively. Fashion and beauty (11.1 percent of 1,176 sites) and online shopping were the most active categories in sharing emails (9.4 percent of 3,658). Surprisingly, no trackers were found on any of the 528 pornographic sites where the crawler entered an email address.

If you're wondering whether cookie consent management policies on the sites you visit are important, keep in mind that just 7,720 of the 100,000 sites evaluated have one, and even if you pick the "reject all" option, 199 (or more) sites will capture your email if you're using a European IP. If they discover you in the United States, 201 (or more) sites will do so. The researchers also discovered 41 tracker domains that weren't on popular blocklists, as well as 52 domains that collected passwords, often using keystroke detection scripts — the researchers believe the majority, if not all, of these password collections are unintentional, and credit Russia's Yandex and American firm Mixpanel for taking action to correct the behavior when they discovered it.

It was brought to their attention. However, numerous other businesses ignored queries regarding password gathering or even demands made under the EU's General Data Protection Regulation.


To be fair, there are a lot of nuances in how data is collected (whether it's been obscured by a hash) and why (these results exclude instances where site hosts send email addresses to internal trackers for purposes like preventing account duplication), but at the end of the day, if you're worried about your data splatter going all over the place, there's very little you can do. It's up to you to decide how much you want to participate on the internet — perhaps don't fill out sign-up forms unless you're serious about using the service — and how much danger you're ready to take. These well-researched datasets might assist you in achieving your goals.