As you know, Friday of last week Google began labeling sites with this site may be compromised when a site was hacked. But why did Google start doing this?
In the past, hacked sites were simply removed from the Google index and the webmaster was sent a notice via Google Webmaster Tools and via email (when possible). Why did Google decide to leave the hacked site in the index but simply label it as being compromised?
That is the question asked by WebmasterWorld members and answered by Google's Matt Cutts. Matt Cutts explained:
The fact is, not everyone logs into Webmaster Tools obsessively to see if they have any messages. So we needed to find a way to surface this potential risk so that site owners would find out more quickly if they've been hacked.
We now have two different responses for sites with malware vs. sites that we think may be hacked. When we detect malware, we try harder to let users know that they may be stepping into a dangerous part of the web (e.g. an interstitial so that users really need to be sure they want to visit that page).
In contrast, a hacked site might not be immediately dangerous to users. But we still want to alert site owners, because if a site is hacked right now, in practice it's not too much harder for a bad actor to add malware to the hacked page.
You see, a webmaster is more likely to see their site's label in Google then look at their notifications in webmaster tools or trust an apparent email from Google about a site hack. The label in Google might encourage the webmaster to close the hack sooner than later.
Forum discussion at WebmasterWorld.