Due to the saturated digital market, it can be a real challenge to increase web traffic. After all, an estimated 75% of search engine users never even click past the first page of web results. But for those who actually make it onto a website and take the time to buy a product or enter their personal information, these consumers need to have some reassurance that these businesses are taking steps to safeguard their data. According to University of California San Diego researchers, customer faith may be sorely misplaced, as more websites are likely compromised than we think — and these businesses do very little to warn us about it.

UCSD researchers recently developed a tool known as Tripwire, a system which monitors websites using designated email addresses to register accounts. Although these email addresses were totally unique — they were not used for anything other than the registration on an individual business’s website — the password used for the email address and for the website account were the same. This is, of course, a no-no, but utilizing the same password for different accounts is a mistake that most internet users make. Researchers created two different accounts for each website, one with an easy-to-guess password and the other with a randomized, 10-character password. They also made sure to have a control group to ensure that the email account provider they chose could not be blamed for any breaches they might discover.

The results were nothing short of shocking. Out of the 23,000 websites tested over a two-year period, Tripwire found that 1% had been compromised. This 1% included a highly popular startup with more than 45 million active users. Tripwire found that both the plaintext and hashed passwords had been breached, meaning that many of these sites stored passwords in plaintext, rather than encryption. In other words, these sites took almost no preventative action to safeguard passwords.

Most astounding of all, when researchers reached out to the compromised businesses, not disclosed the breach to their website users. Around 58% of businesses say they’re worried about cyber attacks, but the UCSD researchers found that many of the impacted companies didn’t seem to care too much in reality. At least, not enough to endure the potential fallout from their customer base.

Alex C. Snoeren, professor of computer science at the University and one of Tripwire’s four study authors, said in a statement: “I was heartened that the big sites we interacted with took us seriously [but] I was somewhat surprised no one acted on our results. The reality is that these companies didn’t volunteer to be part of this study. By doing this, we’ve opened them up to huge financial and legal exposure. So we decided to put the onus on them to disclose.”

Subsequently, the Tripwire research team has said they will not publicly reveal the names of these companies or their sites. But while 1% of websites might seem like a small number, considering just how many websites there are, the implications could be huge. Although there are laws that state companies need to notify customers in the wake of a breach, recent headlines have shown that many businesses wait longer than they should before taking that step. Tripwire could play a huge role in providing better consumer safety.

Joe DeBlasio, one of the study’s co-authors, explained: “While Tripwire can’t catch every data breach, it essentially has no false positives — everything it detects definitely corresponds to a data breach. Tripwire triggering means that an attacker had access to data that wasn’t shared publicly.”