Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
“We’ve Been Hacked” Boilerplate Announcement

How Companies Communicated Being Hacked

Evernote

It’s probably a pretty bad idea to have your site go down, when people are supposed to read the blog post explaining the hack.

Twitter

Notice how another site reporting the hack received more attention than Twitter’s own announcement. Why was that?

LinkedIn

LinkedIn users on Hacker News learned about the site’s password leak through a translation of a Norwegian article.

  • Sometimes, the company doesn’t break the news first.
  • Look at all those discussions of people trying to figure out how and whether this affects them.

ZenDesk

Three major companies were affected by this: Tumblr, Twitter, and Pinterest. All three issued an e-mail to users that could be affected. It is a nice opportunity to see how three major companies compare when reporting a security breach.

Blizzard

Once again, people probably found out about the security breach from another source than the official one.

Buffer

The best response I recall ever seeing. These people get it.

The Announcement

Notify Your Users

Through

  1. your official Twitter account
  2. your blog (this is where you really don’t want it to crash)
    • Make a copy to Pastebin with your official Twitter account if need be.
  3. e-mail
  4. phone—if the situation demands it

Inform and Calm Your Users

(Right now, all your users are asking themselvess “Am I affected by this?”)

  • Who are affected by this? (E.g. registration < mm-dd-yyyy)
  • How are users affected by this? (Security, privacy, password reset, OAuth access revoked.)
    • Remember distinction between hacked accounts (log-in) vs. hacked user data (database)

“Am I safe now?”

  • Have you contained the infiltration? (Is it safe for people to use the service now?)
  • In few words, how were you hacked?
  • What steps have you taken to protect their data?

“Am I required to take (immediate) action to protect myself?”

  • If yes, what are the steps, point by point, in plain English?
  • ... and how will I know that I have successfully done as asked?

User Data

  • What was compromised, if you know at this point?
    • [<YES,NO,UNDETERMINED>] Field
    • [ ] Usernames
    • [ ] Passwords
    • [ ] Secret question
    • [ ] Answer to secret question
    • [ ] Credit/debit card info
      • Should I cancel my card—how?
    • [ ] User data
      • Personal photos, items marked “private”, order history ...

For the Techies

  • What password hashing algorithm did you use?
  • Did you use a salt?
  • Do you plan on improving your security in the future with two-factor authentication?

The Follow-up

The Timeline

  1. When were you hacked?
  2. When did you intuit something was wrong?
  3. When did you confirm the hack?
  4. When did you restore the security of your service?

=[1]=====[2]==[3]=[4]===>


  • How did you botch the security?
  • How did you detect the infiltration?
  • How did you contain the infiltration?
  • What steps are you taking to protect users in the future?
@ndarville

This comment has been minimized.

Show comment
Hide comment
@ndarville

ndarville Feb 15, 2014

Please post any feedback you may have, be it as a user or company.

Owner

ndarville commented Feb 15, 2014

Please post any feedback you may have, be it as a user or company.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment