A few days ago, I discovered a security flaw at the company that hosts my website. I reported this to the company, NameCheap, and to a security researcher I know, Graham Cluley. Graham, in turn, shared this information on twitter, and on his podcast Smashing Security.
One thing that irked Graham – and me – was the way that NameCheap’s representative on Twitter used the term “teeny tiny” on Twitter to describe the extent of this vulnerability’s exploitation. And they also suggested, on Twitter, that it shouldn’t be discussed publicly:
This is despite the fact that the information I published did not in any way explain how this vulnerability could be exploited, but merely described its result. (NameCheap later provided a detailed explanation.)
There’s been a bit of back and forth between Graham Cluley and NameCheap CEO Richard Kirkendall (see this Twitter thread), much of it about the terminology that was used. “Teeny tiny” is not a technical word, and, to my ears, sounds dismissive.
This is problematic. Twitter is used as the voice of companies. A tweet can be as important as a press release; heck, even the US president announces policy in 280 characters. Companies that don’t realize this run the risk of being misunderstood, especially when something as sensitive as a security breach occurs.
In my article about this issue, I congratulated NameCheap on their rapid resolution of the problem. But I have communicated to Mr Kirkendall about the fact that I have not received any formal notification from the company regarding this breach, even though NameCheap said that all those affected – apparently just 12 domains – would be contacted. He has apologized on Twitter. He also said a full audit of the incident would be made, which is, of course, normal when there is this type of security breach.
The fact remains that Twitter leads people to speak quickly and sometimes rashly. I have worked as a journalist for long enough to know how important a choice of words is. I’ve worked hours on press releases with clients to get just the right words. And a tweet, especially when it is seen as an official statement from a company, is not very different from a press release. The wrong words have consequences.
Well said, Kirk! Anyone and any company could become a victim of a cyberattack. Getting hacked is bad but worse is handling the entire incident irresponsibly and in an laid-back manner. When Troy Hunt informed imgur about their data breach, the way they responded was excellent. We need to own up to our mistakes (the unintentional ones too) because that is where the recovery begins.
Well said, Kirk! Anyone and any company could become a victim of a cyberattack. Getting hacked is bad but worse is handling the entire incident irresponsibly and in an laid-back manner. When Troy Hunt informed imgur about their data breach, the way they responded was excellent. We need to own up to our mistakes (the unintentional ones too) because that is where the recovery begins.
I cant agree more, and when all you need to do as a company like this is post something simple on your Twitter like “We have been alerted to a bug in our hosting system, we are actively working on a fix and will update you shortly on the following blog post: LINK” So easy, so quick should take a few minutes and lets users know that you are serious about stuff and are working on it without commenting on everyones tweets.
I cant agree more, and when all you need to do as a company like this is post something simple on your Twitter like “We have been alerted to a bug in our hosting system, we are actively working on a fix and will update you shortly on the following blog post: LINK” So easy, so quick should take a few minutes and lets users know that you are serious about stuff and are working on it without commenting on everyones tweets.