Skip to main content
  1. Home
  2. Computing
  3. News

Websites may be logging your email and password without you knowing

Add as a preferred source on Google

An extensive study reveals that up to 3% of websites may collect your form inputs even before you ever press “Submit.” That’s right — even if you type something and then delete it, these websites will still record your keystrokes and remember the things you chose not to input.

The data, collected without your knowledge and consent, can contain some of the most personal information, that can later be used for various purposes, such as targeted ads.

List of websites that track email addresses prior to submitting.
Kuleuven

The study is titled, “Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission,” and it was conducted by university researchers on a large sample of 100,000 of the world’s highest-ranking websites, adding up to a total of 2.8 million pages.

Recommended Videos

Using a website crawler (based on DuckDuckGo’s Tracker Radar Collector) the researchers scoured the internet and came back with staggering results. Although most of us assume that websites only record the things we type when we submit them, it seems that for up to 2,950 sites out of the 100,000 that were sampled, that was simply not true. It seems that, up to 3% of the time, trackers collect data from the moment it’s typed into the form.

Websites use trackers for many reasons, but for the most part, they’re used to personalize your browsing experience as well as collect information about visitor activity. In theory, this is supposed to be anonymous, but of course, personal identifiers narrow things down a whole lot.

Trackers can be useful, as they let the websites know what kind of content the users are most interested in. However, third-party trackers are used to help advertisers ensure that the ads you see are targeted, meaning you’d be more likely to click and purchase something.

The crawler used in the research was equipped with a machine learning classifier that was previously trained to detect email and password fields, and then intercept any potential script access to those fields. It seems that many third-party trackers have been caught using scripts that monitor the keystrokes when the visitor types inside a form. If the trackers save the information before it is submitted, some of them would be able to collect email addresses and passwords without the user’s consent.

Trackers that were affected by password leaks.
Kuleuven

The fact that some third-party trackers were able to collect keystrokes, and thus data, prior to anything being submitted, is definitely alarming. According to the researchers, this issue affects a small percentage of trackers, but they are quite prevalent on the web. The biggest culprits were LiveRamp (662 websites), Taboola (383), Verizon (255), and Bizible (191). These trackers were present on websites where email addresses were logged. When it comes to snatching passwords, Yandex trackers top the list.

An interesting factor of the research is that European users were subjected to fewer attempts of email/password extraction than the users in the U.S. Only 1,844 websites allowed trackers to do this when visited from Europe, compared to 2,950 for users in the United States.

Users in Europe are protected by the GDPR, a set of legal regulations concerning personal data. According to the study, email exfiltration via trackers breaches at least three GDPR laws. Violating the GDPR can result in enormous fines reaching as high as 20 million euros or up to 4% of the global annual turnover of the entity in question.

The highlights from the study were published by researchers alongside a full, much more technical version for those who want to learn a bit more. This was then first shared by Bleeping Computer. It’s important to note that half of the listed first and third parties responded to the researchers and claimed that the collection was due to a mistake.

If you want to protect yourself from similar trackers, it might be a good idea to disable third-party trackers altogether — you can do this in your browser settings. It’s also considered good practice to change your password every so often. Password managers can prove helpful if you’re juggling a lot of different passwords that change on a regular basis.

Monica J. White
Monica is a computing writer at Digital Trends, focusing on PC hardware. Since joining the team in 2021, Monica has written…
Google rejects alarming report that says its Search AI tools are unsafe for kids
The company says it couldn’t reproduce many of the responses cited and argues that the testing doesn’t reliably measure product safety
Google AI Mode on mobile and desktop

Google has rejected a new report that labels its AI-powered Search features an “unacceptable risk” for children and teenagers.

Common Sense Media’s Youth AI Safety Institute gave AI Overviews and AI Mode its lowest overall rating. The two tools performed poorly against seven of the institute’s eight AI safety principles and failed every category involving potentially severe harm. Google says those findings came from searches that don’t resemble how people normally use its products.

Read more
What should you look for in a printer for high-volume home printing?
From ink costs to wireless printing and scanning, here's how to pick a printer that keeps up with busy households without constant cartridge replacements.
Computer Hardware, Electronics, Hardware

This post is brought to you in paid partnership with HP

Most people find out their printer wasn't built for them at the worst possible moment. You need to print something urgent (a permission slip, a tax form, a boarding pass) and you're out of ink. Or low on magenta, which for reasons no one has satisfactorily explained, also blocks you from printing a black-and-white document. You order a cartridge, wait two days, and finally print the thing you needed on Tuesday the following Thursday.

Read more
This AI doesn’t just translate languages, it invents brand-new ones
Forget translating, this AI builds languages from scratch, sounds, grammar, and all.
ConlangCrafter open on laptop

Ever wondered what a language built entirely by AI would sound like? A team of researchers just made a tool that answers exactly that question. A new paper published in the Proceedings of the Association for Computational Linguistics introduces ConlangCrafter, a tool that uses large language models to build brand new languages complete with their own sounds, grammar, and vocabulary.

Morris Alper, the paper's lead author and soon-to-be assistant professor at the University of Miami, explained that the goal was to create languages with features you don't normally find in the ones we already speak. 

Read more