A Web security expert has warned members of international travel website, TripAdvisor.com including its Australian subsidiary, that their email details may be in the hands of spammers following a hack this week.
Pure Hacking Australian chief technology officer, Ty Miller, said because the site has about 20 million members worldwide, there was a high possibility the hack was a targeted attack.
If it wasn’t a targeted attack, another technique known as “Google Hacking” may have been used. This allows attackers to use advanced search queries to locate vulnerable websites, which may then be attacked.
“It may have been that TripAdvisor came up as a vulnerable website," he said on why the site had been specifically targeted.
Miller also said spammers can use that information as part of online profiling because an email address is a unique identifier.
“Some people put their emails out on the Internet without thinking about how this can be used against them," he said.
"If I was to search for other information related to you, I can use that address as a unique identifier within Google searches to pull other information about you such as date of birth and phone numbers.”
All this information can be pulled together to create a profile which the spammer can than use to craft targeted emails relating to personal interests such as travel.
“Everyone is a target these days. You can’t sit back and think you won’t be hit," said Miller.
In a statement on its website , the company advised that an unauthorised third party had stolen part of TripAdvisor's member email list.
"We're taking this incident very seriously. We've identified the vulnerability, shut it down and are vigorously pursuing the matter with law enforcement,” read the statement.
Details of how many members were affected and what countries they were in were not released. A portion of its membership that was impacted may receive some unsolicited emails or spam.
"No passwords were taken, and any and all password information is secure. TripAdvisor does not collect members' credit card or financial information, and we never sell or rent our member list,” read the statement.
The company advised members to avoid opening suspicious or unsolicited emails.
“Never respond to spam email or click any links in spam email. Avoid giving personal or financial information in an email, especially credit card information, bank account information, passwords and ID numbers.”
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow CIO Australia on Twitter: @CIO_Australia