TripAdvisor Resets Compromised Passwords. What Do Users Need to Do?
Last week, some TripAdvisor users received an email notification related to their account security. It could very well be the perfect example of a good idea that's not very well executed.
The email shows that TripAdvisor really is looking after its users, and with good reason. A couple of years ago, people using the travel and restaurant-rating platform were once again receiving email notifications. Back then, TripAdvisor noticed unauthorized access of some of the accounts, and it was trying to alert users about it.
TripAdvisor wasn't hacked, though. The crooks were using lists of usernames and passwords leaked during data breaches at other online services and were taking advantage of the fact that many people had reused their passwords. In other words, TripAdvisor users were targeted by a credential stuffing attack.
TripAdvisor tried to be proactive
TripAdvisor's security people don't want to see that happening again, which is why they want to make sure that as few travelers as possible use compromised passwords. They sourced databases full of email and password combinations stolen from other services and started comparing them to the login data of their own users. Predictably, they found more than a few matches, and they are alerting people about it.
All accounts protected by leaked passwords have been locked, and if the owners want to continue using TripAdvisor, they need to pick a new password. It will also be checked against the compromised data, and if there's a match, the travel platform won't allow it. The email alert is garnished with the almost mandatory tips for making a password long and complex. There is, of course, a warning against password reuse as well.
People's password hygiene is nothing short of awful, and forcing them away from passwords that are already compromised is probably the first step we can take towards improving the situation. Many online services should take note and follow in TripAdvisor's footsteps. The thing is, they can (and should) do a much better job.
The lack of information and a less-than-perfect notification left people in doubt
People with interest in cybersecurity were rather intrigued by TripAdvisor's email. Initially, they thought that the travel platform had used the HaveIBeenPwned data breach notification service to check users' passwords. Troy Hunt, HaveIBeenPwned's creator, however, didn't confirm this, which left people wondering where TripAdvisor got the compromised data from. They are also wondering what this check might mean for TripAdvisor's password storage mechanisms.
Unfortunately, these questions remain unanswered. TripAdvisor didn't announce the test officially, and it said nothing about the way it's done it. Although people are asking questions, the online service still hasn't released any information.
The email is hardly the definition of convincing as well. The fact that it starts with "Dear TripAdvisor Traveler" and the link to the password reset page actually made some people think that it's a phishing scam. Thankfully, it's not. The email is 100% legitimate, and if you've received it, you should definitely read it carefully and follow the instructions.
For all its good intentions, TripAdvisor should have known that when people's privacy is at stake, transparency is crucial. The lack of official information and the way the email was designed left people in doubt, and this shouldn't have happened.
Hopefully, the next platform that decides to make people get rid of their stolen passwords will be more upfront about what it's doing and how.