Skip to content

Instantly share code, notes, and snippets.

@ndarville

ndarville/examples.mdown

Last active December 9, 2019 11:32
Show Gist options
  • Star 15 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save ndarville/5072091 to your computer and use it in GitHub Desktop.
Save ndarville/5072091 to your computer and use it in GitHub Desktop.
Download ZIP
“We’ve Been Hacked” Boilerplate Announcement
Raw
examples.mdown

How Companies Communicated Being Hacked

Evernote

It’s probably a pretty bad idea to have your site go down, when people are supposed to read the blog post explaining the hack.

Twitter

Notice how another site reporting the hack received more attention than Twitter’s own announcement. Why was that?

LinkedIn

LinkedIn users on Hacker News learned about the site’s password leak through a translation of a Norwegian article.

  • Sometimes, the company doesn’t break the news first.
  • Look at all those discussions of people trying to figure out how and whether this affects them.

ZenDesk

Three major companies were affected by this: Tumblr, Twitter, and Pinterest. All three issued an e-mail to users that could be affected. It is a nice opportunity to see how three major companies compare when reporting a security breach.

Blizzard

Once again, people probably found out about the security breach from another source than the official one.

Buffer

The best response I recall ever seeing. These people get it.

Raw
we-got-hacked-boilerplate.mdown

The Announcement

Notify Your Users

Through

  1. your official Twitter account
  2. your blog (this is where you really don’t want it to crash)
    • Make a copy to Pastebin with your official Twitter account if need be.
  3. e-mail
  4. phone—if the situation demands it

Inform and Calm Your Users

(Right now, all your users are asking themselvess “Am I affected by this?”)

  • Who are affected by this? (E.g. registration < mm-dd-yyyy)
  • How are users affected by this? (Security, privacy, password reset, OAuth access revoked.)
    • Remember distinction between hacked accounts (log-in) vs. hacked user data (database)

“Am I safe now?”

  • Have you contained the infiltration? (Is it safe for people to use the service now?)
  • In few words, how were you hacked?
  • What steps have you taken to protect their data?

“Am I required to take (immediate) action to protect myself?”

  • If yes, what are the steps, point by point, in plain English?
  • ... and how will I know that I have successfully done as asked?

User Data

  • What was compromised, if you know at this point?
    • [<YES,NO,UNDETERMINED>] Field
    • [ ] Usernames
    • [ ] Passwords
    • [ ] Secret question
    • [ ] Answer to secret question
    • [ ] Credit/debit card info
      • Should I cancel my card—how?
    • [ ] User data
      • Personal photos, items marked “private”, order history ...

For the Techies

  • What password hashing algorithm did you use?
  • Did you use a salt?
  • Do you plan on improving your security in the future with two-factor authentication?

The Follow-up

The Timeline

  1. When were you hacked?
  2. When did you intuit something was wrong?
  3. When did you confirm the hack?
  4. When did you restore the security of your service?

=[1]=====[2]==[3]=[4]===>

  • How did you botch the security?
  • How did you detect the infiltration?
  • How did you contain the infiltration?
  • What steps are you taking to protect users in the future?
@ndarville
Copy link
Author

Please post any feedback you may have, be it as a user or company.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment