I really don't like how they decided to release this on a friday afternoon. I know exactly why they did it, and why it is a smart PR move but it also means two things:
- People's accounts might have been compromised earlier "this week" and they could have used that extra warning time to make sure the damage didn't spread to their other online accounts.
- People who might have been compromised are now less likely to see the announcement, so if anything is compromised there's less chance they will react to mitigate damages.
I'm inclined to give them some benefit of the doubt. It seems like they could have found out on, say, tuesday, started investigating (post-intrusion analysis is very lengthy to do thoroughly) and the boss said "we need to release a statement by the end of the week, so find out what was taken and how users are affected."
They'll likely be doing forensics for months after this, so alerting the public a few days in to the investigation is actually pretty good.
What you should be concerned about is all of the companies who got owned in this campaign and will not be confessing. This is big, and a few more companies will admit it early, a few will sneak vague statements in their SEC disclosures, and a few will cover it up completely.
There is another possibility, which is that they didn't work out what was going on until Thursday.
And anyone whose account has been compromised has received an email, a far more likely way of seeing the message than relying on everybody to occasionally check Twitter's blog for news.
The official Twitter release was titled "Keeping our users secure". My gut response after reading the first couple of paragraphs was, "Are you fucking kidding me?" That title, combined with the day/time of release really has the cynic in me riled up.
EDIT: It'd be great if anyone willing to downvote would explain why it's OK for Twitter to title a notice involving a breach of security resulting in the exposure of 250,000 records containing sensitive information, "Keeping our users secure". Because it really kind of pisses me off when I read it.
EDIT, EDIT: Highest karma volatility (up, down, up, up down, etc) of any comment I've ever posted on Hacker News. I really am genuinely interested in counter points.
Settle down. "Keeping our users secure," just means "There was a problem, and here is what we have done to mitigate it." You have correctly observed that they chose, in their announcement, to downplay the breach and focus on what steps they've done to address it. What did you expect?
Let's all take a deep breath and remember: It's. Just. Twitter.
It doesn't really matter to me who the message comes from. When did the truth cease to matter? I'm not naive. I recognize that this kind of thing happens all over the place, but that's exactly why I get so frustrated at this type of communication, and frankly, at your response. If your attitude becomes, "Oh well, it's just Twitter, so the dishonesty doesn't matter," then we can only expect more of the same. Everyone around Twitter will watch as they perpetrate falsehoods in communication, and they will follow suit.
It's not that "dishonesty doesn't matter" it's that you really shouldn't expect a company to go out of its way to call attention to its own screwup. They only want to bring this to the attention of people who need to know for security reasons, and they directly emailed all of those people. The sole purpose of the blog post was "oh, in case you heard about a security breach, you'll be happy to know that we've mitigated the problem. Aren't we doing great?" Even if you think the answer is "no," there is really nothing dishonest there.
Though twitter seems trivial to a lot of people, Wikipedia has 4 different suggestions[1] when you search for 'twitter revolution'. So perhaps it's not so trivial and celebrity-focused as it seems to us non-users.
And if someone used Post-it Notes in a novel way to aid revolutionary efforts, we'd suddenly decide that they are a critical piece of infrastructure that needed to be super-secure, too, right?
HN meta: It would be interesting to see per-comment volatility as an indicator of moderation convergence. Anyone know if the HNSearch dataset is rich enough to do this?
1) There is no evidence that all of the records were compromised. So Twitter is keeping users secure by proactively resetting passwords.
2) People need to get over this Friday afternoon release. Twitter is a global company so it's not Friday everywhere and regardless it could purely be coincidental.
The Friday release thing doesn't aggravate me nearly as much as the title.
Security is tough. Really, really tough. I'm not here to crucify them for the breach, but the title glosses over the event in a way that is disingenuous at best. When you border on dishonesty with your title, people begin to question your motives.
The title isn't meant for anyone who's account was compromised. Mine was, I got an email. The subject was "Twitter has reset your account password". No beating around the bush there.
I'm not upset, it sounds like they detected it quickly and went out of their way to make sure everyone was not only notified but ensured that their account was safe. 250k users is a very small number of their accounts. A literal drop in the bucket. It sounds to me that they're going after the hackers and I appreciate that.
Sadly you are exactly right. I wish companies would put both of these things first. Why so often does one have to come at the expense of the other?
Yes i know this is "naive" thinking, but i also think its the kind of thinking that can change a company for the better. Would it be easy? No. But in the end it its use the users that have to not think so critically of these "political pitfalls"(my words). Hacking happens, time and time again this stuff happens. If twitter(or another company) took measures to protector there users and didn't do something completely stupid like keeping plain text info, we should all just take what happened for what it is and move on. With these situations coming more and more common we are going to have to do this anyways.
Or it could have actually just been discovered today. It's too easy to sit from afar and assume the worst. Maybe sometimes things just happened this way.
Maybe the "bad" people involved in the attack figured if they got away with it less people would be looking on a weekend so they could get further.
Just saying... it's easy to assume "big" companies do what's best for them aways... but really they're just a bunch of people trying in most cases to do the right thing. So, before you click "fire" on that enter key... think about it.. there are people on the receiving end... probably a lot like you.
Today could be really bad if they discovered later that the attack had been going on longer tomorrow... never know which way the spin or reporting is taking the real story once it hits print...
- People's accounts might have been compromised earlier "this week" and they could have used that extra warning time to make sure the damage didn't spread to their other online accounts.
- People who might have been compromised are now less likely to see the announcement, so if anything is compromised there's less chance they will react to mitigate damages.
Great for PR, horrible for their users.