Email inboxes can be prime hunting grounds for hackers and scammers trying to sneak into user accounts and steal information. But a recent email from TripAdvisor Inc., asking users to change their passwords was anything but a scam.

The company alerted an unknown number of users in June that their TripAdvisor login information was on a list of publicly leaked passwords and that they would need to reset their credentials. A representative for TripAdvisor said the company scans the internet for leaked credentials and confirmed it notified some of its users but declined further comment.

Companies like TripAdvisor have started taking steps that could limit their legal liability and protect user privacy in the face of widespread attacks, called credential stuffing. In such attacks, hackers use versions of leaked usernames and passwords—the credentials—posted as part of a data breach to log in to retail sites, bank accounts and other popular websites, and then make purchases, steal credit cards, or sell personal information.

Scanning internet sites for leaked logins and then securing those accounts can protect a company’s finances, reputation, and even future legal standing in a potential lawsuit, attorneys and data security professionals say. Because users frequently use the same or similar passwords for multiple accounts, a leaked login for one site can mean access to many others, they say.

A dearth of court rulings and case law leave murky what legal liability companies could face if they don’t protect against credential stuffing attacks, attorneys said. But a 2017 Federal Trade Commission ruling that held a financial company liable for the consequences of one such attack may be good reason to follow TripAdvisor’s lead and take precautions.

“Is it an absolute protection? Does it save you from doom and gloom? Don’t know yet,” Paul Ferrillo, a cybersecurity corporate governance attorney at Greenberg Traurig LLP, said. “Does it make good common sense? Is it good practice to do so? Absolutely.”

Legal Grey Area

Companies should consider the FTC’s liability ruling against TaxSlayer LLC when considering whether they want to proactively protect their users against credential stuffing, Ferrillo said. Credential stuffers attacked the tax-preparation company over three months in 2015, using the service to file fraudulent tax returns, according to the FTC settlement.

The FTC expects that companies should know to protect against credential stuffing attacks, according to the agency’s original complaint. The settlement requires TaxSlayer to hire a third-party assessor to evaluate its compliance with the Privacy and Safeguard rules every other year through 2027.

“Notably, the FTC alleged that credential-stuffing attacks have become reasonably foreseeable. On that hook, the FTC essentially hung a legal mandate to detect and prevent such attacks,” attorneys Jeremy Feigelson and Will Bucher of Debevoise and Plimpton LLP wrote in a Bloomberg Law Insight at the time of the settlement.

Future users could blame a company for failing to protect against a credential stuffing attack, David Navetta, vice chair for cyber, data, and privacy and partner at Cooley LLP, said. “It’s good to avoid all kinds of headaches around fraud, and if you do that you’re hopefully mitigating liability.”

“I personally think that companies who get hit with credential stuffing should not be liable for what amounts to bad password practices of users and another company’s data breach, which allows those passwords to be exposed,” Navetta added.

Password Problems

Credential stuffing also poses a financial threat to companies. The retail industry suffered $6 billion in losses and consumer banking another $1.7 billion from credential stuffing attacks in 2017 alone, according to a 2018 report from data protection company Shape Security.

Attackers often will steal the value of what’s stored in the account, such as subscriptions, airline ticket purchases, or online orders, according to the report. They’ll also steal personal and credit card information and and then may sell the user’s login online when they no longer need or want it.

Companies can protect themselves in a number of ways, ranging in sophistication. TripAdvisor, for example, uses software that scans the internet for users’ leaked login credentials, which is how the company learned its users were at risk and moved to protect them.

But companies should never notify users about required password changes over email, because hackers will send emails just like it to trick users into revealing their passwords, Shape Security co-founder Sumit Agarwal said. They should only notify users after they log in to the website or application, he said.

Websites can use two-factor authentication instead of requiring password changes, security experts and attorneys said. Even if a credential stuffer manages to enter the correct login, they’ll almost never have access to the second factor, such as a phone number or PIN sent to a cellphone, Stephen Cox, chief security officer at data protection company SecureAuth, said.

Companies also can buy technology with machine learning that identify whether an attempted user login is “good, bad, or risky,” Agarwal said. For example, if a user attempts to log in to an account from an IP address in the U.S. and then, 10 seconds later, tries from an IP address halfway across the world, that would alert a security system and block the suspicious attempt, Cox said.

The best a company can do for itself is invest in protections to ensure it’s safe from future liability, Ferrillo said. Companies that behave like “good corporate citizens” have an advantage in potential future legal proceedings, he added.