With credential stuffing attacks running rampant, TripAdvisor will invalidate a member's password if their email and password were found in publicly leaked data breach databases.
A friend received an email from TripAdvisor.com yesterday and was concerned that it was a phishing email because it stated their email address and password were found in a "lists of publicly leaked passwords". Due to that, the company invalidated their password and they would need to reset it before they can login again.
While receiving this email may at first make a person think it is a phishing scam, it is in fact a legitimate email. TripAdvisor is doing this to prevent a member's account from being compromised using credential stuffing attacks.
A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to other sites.
With new reports of data breaches or leaks coming out almost every day and people using the same password at every site they create an account, TripAdvisor's policy is a good one as it only protects their members.
So if you receive this email, do not be worried and just reset your TripAdvisor password at https://www.tripadvisor.com/MemberForgotPassword if you wish to login to the site again.
The email TripAdvisor sends out when it encounters one of their members using the same credentials that were found in a leaked data breach or leak, can can be read in its entirety below:
Dear TripAdvisor Traveler,
As part of our ongoing efforts to protect your security, TripAdvisor recently compared our member databases with lists of publicly leaked passwords. Unfortunately, your email and password were included on a list of leaked passwords. As a result, to protect your TripAdvisor account we have invalidated your password.
We recommend that you create a strong password that includes:
* A unique combination of words, numbers, symbols, and both upper- and lower-case letters
* A minimum of eight (8) characters
* No commonly used words
Please visit the following page to create a new password for your account:
https://www.tripadvisor.com/MemberForgotPassword
In addition, we recommend that you take additional steps for the safety of your other online accounts. If your discontinued TripAdvisor password is used on any other site or app, change your password on those sites/apps — and avoid using any password on more than one site.
Thank you for being a valued part of our community, and for taking a moment to create a new password. If you have questions about any of this information, please contact us at loginsupport@tripadvisorsupport.com
Best Regards,
The TripAdvisor Team
Red Report 2025: Analyzing the Top ATT&CK Techniques Used by 93% of Malware
Malware targeting password stores surged 3X as attackers executed stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.
Discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Comments
Martlark - 6 years ago
re: We recommend that you create a strong password that includes:
* A unique combination of words, numbers, symbols, and both upper- and lower-case letters
* A minimum of eight (8) characters
* No commonly used words
I'm glad they are being proactive on protecting accounts. Regrettably, this advice on how to create a strong password is just inadequate. A strong password is one that is very long and very random. So random in fact that a password manager is required to store and use it.