8 comments

[ 2.3 ms ] story [ 33.0 ms ] thread
Could this be any less technical? This seems to barely even qualify as something to be show on hacker news.

It doesn't talk about the exploited service, the vulnerability, if it was known, etc.

Instead they tell us 'signs of spam'.

It sounds like they're still investigating and will update the page when they have more details to share. It's interesting because Play.com suffered a similar breach recently (a third party company was the target, if I remember correctly)

That being said, "It affected a portion of our membership" is the least useful answer to "How many members were impacted?" that I have ever seen.

"We've identified the vulnerability, shut it down and are vigorously pursuing the matter with law enforcement."

Is a pretty clear assertion that they are aware of how the attack took place and know how to patch the issue.

Agreed. That doesn't mean they're going to publicly disclose all of the details of the breach, especially before they've established its scope.
Definitely, my original point was that the information they released (or lack thereof with regards to the technical aspect) made for an article lacking in depth and not something I would generally want to see on hn.

Hopefully once damage control is complete, we'll learn more.

It would be nice to know what percentage of their 20 million members were effected... being a member myself, this concerns me. Also, in light of the play.com incident, it would be nice to know if it were TripAdvisor that was compromised, or was it their own 3rd party email provider.
I think, if anything, it's a lesson to entrepreneurs to be open when such things happen. Be honest. Be up front. Be frank. Be proactive.

The temptation will often to be hide this kind of thing, claiming it's irrelevant (which typically just means it's embarrassing).

Also, I'm glad to see this isn't another incident where a vulnerability reveals a site is storing passwords in plaintext (like Gizmodo). Seriously, why do people do this?

Oddly, their use of an all-capitalised SPAM contravenes the Hormel "acceptable use" terms at http://www.spam.com/about/internet.aspx, as well as looking extremely out-of-place in their text (I originally assumed the opposite, that they were doing it to distinguish from Spam or spam).

Maybe they think it's an acronym?