The BBC said, "Up to 12 million websites may have been compromised". That number has now spread like wildfire around the web. Unfortunately, it's an absurd statistic and never should have been published.

The BBC report relied on some really bad analysis from Sophos.com. Here's how Sophos seems to have arrived at their estimate:

First, they said there are 1 billion websites in total, using Netcraft as a reference.

Next, they looked at W3Techs which shows Drupal powering between 1.9% of all websites. So they calculated 1.9% of 1 billion, which gives 19 million.

Finally, they used the W3Techs estimate that 65% of Drupal sites are using Drupal 7. Calculating 65% of 19 million produces the final estimate of 12 million.

Every stage in that calculation uses bad statistics that are contradicted by other sources. So, if we can't trust the widely reported figure of 12 million, what can we know for sure about this size of this security issue?

Drupal.org reports that there are less than a million Drupal 7 websites in total. Yes, it's true that those statistics come from Drupal sites using the Update module and some of the larger, more professionally sites disable Update when they go live. But despite that, it's hard to imagine there are enough sites that disable the Update module to push the Drupal 7 total far beyond 1 million. BuiltWith.com puts the entire Drupal ecosystem at only 780,000 sites.

So, if there are around 1 million sites on Drupal 7, how many were hacked?

Bevan Rudge estimated "between ten and ninety percent of all Drupal websites" were hacked. That's such a broad range that Beven is essentially saying, "we don't know", which is honest.

My conclusion: it's hard to say anything more accurate than this problem extends to "10,000's or possibly 100,000's of sites".