Tuesday github hailed me telling me that my password might have been in some logfile and it needs to be changed – two days later, same thing on Twitter. Both cases aren’t really to be taken too easy – and both companies did it well: transparent.
I don’t want to say that it’s a good thing that companies are making mistakes on security, but mistakes happen – we’re all human beings. It’s the way people deal with such incidents: Be serious and think back how many times we’ve been betrayed and lied to. Remember the hack on Yahoo? The German Bundestag? Gouvernemental networks? Quite a few breaches which have been hidden for the sake of keeping face.
But why that transparency you may ask. If you ask me, Twitter’s discovery might not be something that was pure luck. I think they checked the message of Github and screened their systems and found something that’s likewise. In other words, many other companies might do the same thing screening their stuff. Security bugs aren’t unique – usually people make the same mistakes over and over again. So if we’re talking openly about the problems discovered, others may benefit from those too. And regarding a password change, that’s something done quickly, especially if you’re using some password management software.
The moral of the story: If you want to have security, don’t hate people for admitting that they did something wrong.