Tripadvisor has just sent out an email to contributors notifying them that their login information and passwords from their database matches that on a leaked list and has surfaced in the wild.
As a result Tripadvisor has disabled the accounts and users are required to reset their passwords through the “forgot password” function.
Tripadvisor is a very popular platform that has engaged and helped travelers from the early stages of online reviews.
There is no news about this on the Tripadvisor website, not on their main site or under press releases. The only source is the email sent out by TA today:
As part of our ongoing efforts to protect your security, TripAdvisor recently compared our member databases with lists of publicly leaked passwords. Unfortunately, your email and password were included on a list of leaked passwords. As a result, to protect your TripAdvisor account we have invalidated your password.
Please visit the following page to create a new password for your account: [TA Forgot Password tab].
In addition, we recommend that you take additional steps for the safety of your other online accounts. If your discontinued TripAdvisor password is used on any other site or app, change your password on those sites/apps — and avoid using any password on more than one site.
f you have questions about any of this information, please contact us at loginsupport@tripadvisorsupport.com !
I requested a new password directly from the TripAdvisor website:
Changing the password is painless but it’s getting out of hand if you really follow the advise given of not using the same password at multiple websites. Who could remember all that? And keeping a master list is probably not the best idea either.
Conclusion
Unfortunately, the wording of the e-mail can easily lead one to believe that TripAdvisor has been hacked, which after some review, does not appear to be the case. It does however bring up the broader question of TripAdvisor IT security.
Proper security protocol involves not storing plaintext passwords or simple “hashes” of those passwords in a database. Hashes should be “salted” with a unique key that makes the resulting hash fingerprint unique. Since recovery of a plaintext password from a properly salted and hashed password is almost unfeasible, if TA was able to match their own hashes against those publicly available it gives cause for concern how TripAdvisor is/was storing user passwords and opens up further security questions.
NOTE: Original post has been edited for clarity.