User review giant TripAdvisor has been forced to notify members of a major security breach after a "portion" of its 20 million-strong email list was stolen.
The company has posted a message outlining some details of the incident, which supposedly took place "recently" and involves an undisclosed number of member email detail taken from the system.
Officials are keen to stress that the company does not collect credit card details or any other financial information, but it is warning members that they may receive some "unsolicited emails" as a result of incident.
In an additional statement, the official says:
"We sincerely apologise to our affected members for this inconvenience and are implementing additional security precautions to help prevent another incident in the future.
Such is the seriousness of the breach, agencies from outside the company are now said to be looking into the theft, although it is unclear whether the investigation is taking place at one of its international offices or the headquarters in Massachusetts, US.
"While we're still investigating the details, we’ve identified the vulnerability, shut it down and are vigorously pursuing the matter with law enforcement."
The bulletin to members goes on to explain how they might be able to identify any unsolicited emails in the future and how to deal with them.
How such a major incident could have taken place may well emerge in the coming weeks, but while TripAdvisor's transparency with coming forward immediately to notify members should be applauded, such openness elsewhere may also shed some light on some of the wider IT practices within the company.
Seven months ago, technical manager Sanjay Vakil wrote in the Y Combinator forums that TripAdvisor developers have "root access on EVERY box", meaning that technical staff could essentially see all files, delete them and add them from a server.
Vakil's comments were lambasted by other developers and technicians in the forum:
"Ugh. I understand the principle of empowering developers, but some basic security would be nice..." wrote one member at the time.
Another added: "Yeah, I wonder who cleans up after this. The guy who has root 'just because we give it to all developers' and makes a mess and seriously breaks the production site is most likely not the person you want cleaning it up when time is of the essence."
There is no indication at all at this stage whether the theft was carried out by individuals within the company or from the outside.