It sounds like they're still investigating and will update the page when they have more details to share. It's interesting because Play.com suffered a similar breach recently (a third party company was the target, if I remember correctly)
That being said, "It affected a portion of our membership" is the least useful answer to "How many members were impacted?" that I have ever seen.
Definitely, my original point was that the information they released (or lack thereof with regards to the technical aspect) made for an article lacking in depth and not something I would generally want to see on hn.
Hopefully once damage control is complete, we'll learn more.
It would be nice to know what percentage of their 20 million members were effected... being a member myself, this concerns me. Also, in light of the play.com incident, it would be nice to know if it were TripAdvisor that was compromised, or was it their own 3rd party email provider.
I think, if anything, it's a lesson to entrepreneurs to be open when such things happen. Be honest. Be up front. Be frank. Be proactive.
The temptation will often to be hide this kind of thing, claiming it's irrelevant (which typically just means it's embarrassing).
Also, I'm glad to see this isn't another incident where a vulnerability reveals a site is storing passwords in plaintext (like Gizmodo). Seriously, why do people do this?
Oddly, their use of an all-capitalised SPAM contravenes the Hormel "acceptable use" terms at http://www.spam.com/about/internet.aspx, as well as looking extremely out-of-place in their text (I originally assumed the opposite, that they were doing it to distinguish from Spam or spam).
8 comments
[ 2.3 ms ] story [ 33.0 ms ] threadIt doesn't talk about the exploited service, the vulnerability, if it was known, etc.
Instead they tell us 'signs of spam'.
That being said, "It affected a portion of our membership" is the least useful answer to "How many members were impacted?" that I have ever seen.
Is a pretty clear assertion that they are aware of how the attack took place and know how to patch the issue.
Hopefully once damage control is complete, we'll learn more.
The temptation will often to be hide this kind of thing, claiming it's irrelevant (which typically just means it's embarrassing).
Also, I'm glad to see this isn't another incident where a vulnerability reveals a site is storing passwords in plaintext (like Gizmodo). Seriously, why do people do this?
Maybe they think it's an acronym?