Ask PG: What steps would you advise a company to take after leaking passwords?

18 points by wooter ↗ HN
If one of the YC companies leaked half of their user's hashed passwords and immediately asked you for your advice on what to do, what would it be? What if they had low security standards? Would it change if the company was bigger? (even public?)

6 comments

[ 3.4 ms ] story [ 24.1 ms ] thread
Apologize, explain what happened, and fix the bug(s).
My first thought is to force a password reset via email on the next login.
I have to say I'm pretty amazed I haven't gotten an email from LinkedIn yet about their leak. Craziness. They seem to have no problem occasionally changing the setting of my "send me emails updating me of my networks" option.
Yeah, this is the most important. Fix the problem. Apologize too, but fix the problem.
The typical advice to contact the users is good public relations advice, but we all need to remember that there are strict data breach notification laws throughout the US (46 different laws in 48 states)[1] and in many countries around the world. If you know you've been breached and suspect personal data has been stolen you need to get yourself a lawyer. These laws are complicated and professional help is definitely warranted.

[1]http://www.ncsl.org/issues-research/telecom/security-breach-...