The popular travel guide and restaurant review website, Tripadvisor.com, have found out that some of their members’ passwords have been disclosed in previous data breaches, and they are proactively deactivating the passwords of the users they believe are affected by the unauthorized disclosures.
The company sent emails to the potential victims in order to warn their users regarding the data breach that they must be involved in and to let them know that TripAdvisor has disabled the current password they are using to log in to their accounts. The potential victims were requested by the website to change and reset their passwords for them to recover their accounts.
TripAdvisor, Inc. is a Massachusetts-based travel and restaurant website company that shows hotel and restaurant reviews, accommodation bookings, and other travel-related content. It also includes interactive travel forums. It is considered as the most significant “social travel website” in the world, with about 315 million reviewers (active and inactive) and about 500 million reviews of hotels, restaurants, attractions and other travel-related businesses.
According to TripAdvisor, the recipients of the notification emails had their accounts on “lists of publicly leaked passwords,” hence the company is invalidating those passwords in order to prevent potential credential stuffing attacks against the company and their users.
A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to other sites.
“As part of our ongoing efforts to protect your security, TripAdvisor recently compared our member databases with lists of publicly leaked passwords. Unfortunately, your email and password were included on a list of leaked passwords. As a result, to protect your TripAdvisor account, we have invalidated your password,” read TripAdvisor’s email notification.
As part of further security measures, TripAdvisor is encouraging the email recipients to change passwords in other services which uses the same password as that of their TripAdvisor accounts.
“Also, we recommend that you take additional steps for the safety of your other online accounts. If your discontinued TripAdvisor password is used on any other site or app, change your password on those sites/apps — and avoid using any password on more than one site,” they added.
TripAdvisor is not new in terms of controversies. From fraudulent reviews to fake restaurants, the platform has been the plague with issues involving their services. TripAdvisor has already blacklisted approximately 30 hotels for suspicious reviews, including a Cornwall hotel that bribed guests to leave positive reviews of the hotel.
TripAdvisor has stated that reviews are not posted to the website instantly, but are subject to a verification process which considers the IP address and email address of the author, and tries to detect any suspicious patterns or obscene or abusive language. As part of its commitment to accurate and honest reviews, the platform is also allowing users to report suspected fake reviews in the site.
But the question remains: Why are the members’ passwords exposed in the “lists of publicly leaked passwords.” One chance for this is that these affected users are using the same password in TripAdvisor as well as other service platforms. When another platform falls victim to a data breach that exposes the passwords of their members, those passwords are going to be available online for people to use for their consumption. This means that maliciously people who have the password can use the information to log in to other platforms where the same password was also set up. That is why it is crucial to employ uncommon password syntaxes in different platforms as to mitigate the effects whenever one platform becomes a victim of a compromise.