They say there are 361 sites pulled from TwoFactorAuth.org's list of sites, and they were able to access 145 of them.
In describing the set they initially drew from, it seems like they've described the 17 redacted sites simply by describing their complementary set (the 128 sites that are secure).
In describing the set they initially drew from, it seems like they've described the 17 redacted sites simply by describing their complementary set (the 128 sites that are secure).