TripAdvisor hacked, but passwords secure

Travel site TripAdvisor has admitted that it’s been hacked, and that the company’s email list has been stolen. It’s warning its customers that they may be set to receive quantities of spam as a result.

In an email to customers, the company says that only a portion of the 20 million-strong list was taken, that it never sells or rents its member list, and that all member passwords are secure. TripAdvisor says it ddoesn’t collect credit card information.

“We’ve confirmed the source of the vulnerability and shut it down. We’re taking this incident very seriously and are actively pursuing the matter with law enforcement,” it says. It’s also promising to tighten up security in future.

The breach is unlikely to cause customers any problems, says Paul Ducklin, head of technology for the Asia Pacific region with security firm Sophos.

“The stolen email list will be pretty handy to spammers and scammers, and TripAdvisor shouldn’t have let the crooks get hold of it. But many people publish their email addresses openly anyway, or have addresses that are easy to guess,” he says.

“So your email addresses is probably the least worrying part of your online persona to lose. That makes this an embarassing breach rather than a dangerous one.”

However, users will be likely to receive more spam than usual as a result of the data breach, and may need to watch out for phishing attacks. The emails could be reasonably plausible, and could purport to come from TripAdvisor itself, perhaps asking for financial information.