Unless you've been hiding under an Internet rock for the past few days, you've probably heard by now about the massive security breach of the similarly large blog network Gawker.com. If you want a full recap of what happened (and how, as far as it's understood right now), the Firewall blog over at Forbes.com has one of the better rundowns I've read. Separate from the huge embarrassment for Gawker, there are plenty of lessons to take away about both online security and about handling problems in your company. To round things out a bit, I also wanted to touch briefly on some great customer service from the cloud-based file syncing utility Dropbox. Coincidentally, the story comes courtesy of Gawker Media blog, Lifehacker. But before we get to the good, lets handle the bad news.
Just to make sure we're on the same page, it's worth reviewing what happened at Gawker. As far as people can tell so far, a group of hackers intent on gaining access to Gawker's database and account info were able to do so through a combination of brute force and technical effort on the part of the hackers, and some pretty severe mistakes on the part of Gawker and it's staff. In addition to the user account data that was compromised, a huge amount of confidential Gawker information -- including source code, in progress designs, and private chat logs, all spread across a number of independent services -- was accessed and published. While it's not exactly clear how so many different accounts were compromised, it seems to be at least partially due to Gawker employees (including the founder, Nick Denton) using poor passwords, using the same passwords at multiple sites, and talking about account information including usernames and passwords in private chats.
In addition to demonstrating some negative examples of password policy, the Gawker breach demonstrates how wide-ranging the consequences of a poor policy can be. Chances are you're not the head of a massive blogging network, but that doesn't mean that having your own account compromised won't negatively impact any number of people that you work with or know. Take a second to think about how much information is stored in, for example, your email account, and it's easy to see how even one chink in the armor can spread very quickly. If you happen to have a Gawker account, you may be feeling a bit of the brunt directly right now. Despite their being encrypted, many of the passwords on Gawker accounts have already been cracked via brute force attacks, and anyone who uses the same password on other major sites may be at risk. As far as I can tell, my Gawker password hasn't been cracked (and it was unique to Gawker, in any event), but I've received two separate password lockout notices from LinkedIn that I'm guessing are a result of Gawker's breach.
On top of all the security problems, Gawker's handling of this very serious situation has been rather poor. All indications are that initial signs of a security breach showed up over a month ago, but were basically ignored. More troubling is that even after the signs of the breach were obvious (starting this past weekend), Gawker has been rather slow, and not entirely forthcoming about the full situation to it's users. Gawker claims they've been notifying their extremely large userbase as soon as possible, but I didn't receive email notification until today. Furthermore, while Gawker's blogs have been fairly good about informing users how to protect themselves (changing passwords, canceling accounts, etc), there's been almost no discussion of the full scope of the breach. Obviously there are security and protection issues that Gawker needs to consider, but the overall lack of notification and full transparency with it's userbase has been yet another example of what not to do.
To cleanse the palate a bit after all the Gawker mess, I just wanted to mention a small, but cool, piece of customer service, courtesy of Dropbox (and reported on Lifehacker). Basically, a Dropbox user filed a detailed bug report with the service. Some time later, without asking for it, or even being notified, that user had his Dropbox quota increased from 5 GB to 25 GB. Aside from this being a nice thing for Dropbox to do in exchange for a user contributing to the development of the software, I just think it's a pretty well executed move for Dropbox.
In addition to the good will from the user (chances seem good he'll continue to report any bugs he runs across), that good will spread quickly around the internet (in the comments of the LH post alone, two users explicitly mention that they're submitting bug reports they hadn't gotten around to). As a formal, stated policy, paying for bug reports would almost certainly result in a lot of worthless bug reports, and would lead to more dissatisfied customers, I'm guessing, than the low-profile approach used her. On top of all that, rewarding someone for finding a problem with their product really highlights the way Dropbox values their customers' feedback, in a way that many more business should.
Anyway, hopefully that leaves you nicely ambivalent on the Internet and inhabitants thereof.