The popular travel guide and restaurant review website, ‘TripAdvisor.com’ will invalidate a member’s password if their email and password have been affected in previous data breaches. The step has been taken after the firm found out that some of its members’ passwords were revealed in several unauthorized disclosures. The firm believes that threat actors can misuse these stolen credentials to perform credential stuffing attack.
What the company has to say?
The company has sent emails to the potential victims to warn them that their data has been found in the ‘lists of publicly leaked passwords’ and that they need to reset their passwords. The potential victims have been informed that their current passwords have been disabled and are required to change the same in order to recover their accounts.
Tripadvisor is taking this affirmative step to prevent its members’ accounts from being compromised via credential stuffing attacks.
“As part of our ongoing efforts to protect your security, TripAdvisor recently compared our member databases with lists of publicly leaked passwords. Unfortunately, your email and password were included on a list of leaked passwords. As a result, to protect your TripAdvisor account, we have invalidated your password,” reads TripAdvisor’s email notification, Z6Mag reported.
What is credential stuffing attack?
A credential stuffing is a type of account takeover attack in which an attacker uses a collection of stolen login credentials to break into a user’s account. The attacker uses the list of usernames and passwords that were leaked from previous security breaches.
What are other recommendations from TripAdvisor?
TripAdvisor has also asked its users not to reuse the same password in other services. It has urged them to take additional steps to protect their online accounts.
“Also, we recommend that you take additional steps for the safety of your other online accounts. If your discontinued TripAdvisor password is used on any other site or app, change your password on those sites/apps — and avoid using any password on more than one site,” they added.