Douglas Crets


Giving Credibility to the Shadow Education System

The Right Way to Make Amends After #Security Failure — WordPress

I got this email this evening from WordPress. I wanted to show this as an example of the right way to handle a security issue with a site or a service. It’s very simple:

1. Information — What happened, why it happened

2. What was the result?

3. How was it fixed

4. What will happen going forward

5. Other things to do

6. And a little something for you, champ, for being a good sport about it.


And I include the almost entire email below to show you how they did it:

We recently found and fixed a mistake that we’d like to tell you about. Passwords on are saved in a way that makes them extremely secure, such that even our own employees are unable to see your actual password – the one you enter to login to your account. However, between July 2007 and April 2008, and September 2010 and July 2011, a mistake in one of our systems used to find and correct bugs on accidentally logged some users’ passwords in a less secure format during registration.

We’ve updated our systems to prevent passwords from being logged this way in the future, so this will not happen again. We don’t have any evidence that this data has been accessed maliciously or misused, but to be on the safe side we are resetting your password since your account is among those affected.

[personal information and link to security check redacted]

If the password you used when you registered on was one you use elsewhere, you should change it there, too. In the future, remember that it’s good practice to always use unique passwords for different services.

We are terribly sorry about this mistake. No one likes having to create new passwords and we’d like to include a 15% off coupon to say we’re sorry. The coupon can be used for a custom domain, a design upgrade, VideoPress, or a storage space increase. Just use the code below on any of the upgrades on the Store: [special code redacted]

That’s a little bit better than what happened to AirBnB recently when it was discovered that one of their customers had looted and ransacked a customer’s apartment he rented over a week. In that snafu, AirBnB let the tech media take too full of a control of the story, and then on the backend they tried unforgivingly to compromise the reporting and direct the story through, what looked to me like bribing. In the end, though, AirBnB CEO Brian Chesky stepped up to the plate and issued not one, but two apologetic emails to clients. And issued a $50,000 guarantee to subletters to give them some sense of security with the service.

They key is you want to do it right the first time. Tell the truth, get it out there quickly, and then do the work you love to do.


Filed under: Influence, Tech, Work, , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 49 other followers

%d bloggers like this: