TripAdvisor has reset an unknown number of accounts after the company warned that some accounts may have been compromised.
The travel booking site said that while it hadn't been hacked, fraudsters had "attempted to verify email and password combinations" from data stolen from other companies.
A spokesperson for the company wouldn't name the source of the breached data or say how many accounts were compromised, and declined to comment further.
But the number of accounts was significant enough to alert the California attorney general, who requires businesses to notify customers of a data breach or an exposure affecting more than 500 California residents.
TripAdvisor sent emails to customers whose accounts it believes was accessed by an unauthorized person. The company said that it had "invalidated" old passwords and asked users to reset their passwords through an online form.
It's the latest example of a company responding by force-resetting passwords in the wake of a breach of another company.
Amazon, for example, regularly resets user passwords it believes are weak or when passwords have been compromised by another site. Customers who reuse the same password across different sites are put at greater risk of compromising accounts on other sites and services. That's why companies like Facebook will actively buy hacked data on the dark web to match up with their own user's accounts to see if they are at risk, mitigating any further account compromises.
In the past two years, we've seen a spike in massive breaches at MySpace, LinkedIn, Tumblr, and AdultFriendFinder, collectively making up over one billion user accounts.