Travel website TripAdvisor on Thursday warned users to expect more spam after hackers stole a portion of its 20 million member database.
In a message to users posted on the company's website, Steve Kaufer, co-founder and CEO of TripAdvisor, said an unspecified vulnerability allowed hackers to break into its systems and steal the data. The company did not reveal how many of its users are affected.
“We've confirmed the source of the vulnerability and shut it down,” Kaufer said. “We're taking this incident very seriously and are actively pursuing the matter with law enforcement.”
All member passwords are secure, Kaufer said. In addition, TripAdvisor does not collect members' credit card or financial information.
TripAdvisor, owned by Expedia, is the world's largest travel site and offers reviews and information about hotels, flights and restaurants. The company said it is still investigating the incident but discovered the breach over the weekend of March 19. TripAdvisor is implementing security precautions to ensure a similar incident does not occur in the future, Kaufer said, though he did not specify what that would entail.
Randy Abrams, director of technical education at anti-virus firm ESET, criticized the company for providing scant details about the incident.
“TripAdvisor states that a portion of the user email addresses were compromised,” Abrams wrote in a blog post Thursday. “99.9999 percent is a portion. One percent is also a portion…The actual language in the email from the CEO seems to be intentionally vague, which usually means it was a significant portion.”
A TripAdvisor spokeswoman told SCMagazineUS.com on Friday that the company could not provide any additional details about the breach.
In a fact sheet about the breach, TripAdvisor warned that spam messages may include phishing attacks, which ask users for credit card information, financial data or passwords. TripAdvisor will never ask for personal information or passwords via email, the company said.
And besides receiving more spam, affected users may encounter additional attacks due to the exposure of their email addresses, Josh Shaul, CTO of Application Security, a database security, risk and compliance solutions provider, told SCMagazineUS.com in an email Friday. The attackers may be able to input the stolen email addresses into so-called “password guessing” software and attempt to hack the email accounts directly.
“People often use the same email address and password for all of their online accounts, including social networking sites and online shopping,” he said. “Now is a great time to make sure you have good, strong and unique passwords on all the websites that store your personal or financial information.”
Shaul added that the attackers likely exploited the unspecified flaw by launching an SQL injection attack, which is the most common method used to gain access to databases.
“It's important that they fully investigate the scope of the attack and ensure that the hackers didn't exploit vulnerabilities in the database to set up backdoors, install malware or take a foothold on the network,” he said.