Buffer got hacked last weekend, and they were the first to let me know.
That’s EXACTLY how it should be.
Here’s the original email I got this weekend:”
I wanted to get in touch to apologize for the awful experience we’ve caused many of you on your weekend. Buffer was hacked around 1 hour ago, and many of you may have experienced spam posts sent from you via Buffer. I can only understand how angry and disappointed you must be right now.
Not everyone who has signed up for Buffer has been affected, but you may want to check on your accounts. We’re working hard to fix this problem right now and we’re expecting to have everything back to normal shortly.
The best steps for you to take right now and important information for you:
- Remove any postings from your Facebook page or Twitter page that look like spam
- Keep an eye on Buffer’s Twitter page and Facebook page
- Your Buffer passwords are not affected
- No billing or payment information was affected or exposed
- All Facebook posts sent via Buffer have been temporarily hidden and will reappear once we’ve resolved this situation
I am incredibly sorry this has happened and affected you and your company. We’re working around the clock right now to get this resolved and we’ll continue to post updates on Facebook and Twitter.
If you have any questions at all, please respond to this email. Understandably, a lot of people have emailed us, so we might take a short while to get back to everyone, but we will respond to every single email.
- Joel and the Buffer team
A few days later, I got this email:
I wanted to follow up with you after yesterday’s hacking incident. For many of you this has seriously disrupted your weekend – I’m sorry we caused that awful experience. The Buffer team has been working around the clock and I’m glad to say we’re back up and running. We have also spent all of today adding several security measures.
There’s one key step to using Buffer again: You will have to reconnect all your Twitter accounts, even if you’ve already done so. Go to the Buffer web dashboard to reconnect.
Other important things for you to know:
- Reconnecting won’t work in mobile apps, all Twitter accounts will have to be reconnected on the web dashboard.
- Your Facebook posting will have resumed normally, there is nothing you need to do.
- Signing in with or connecting a new Twitter account in the iPhone app won’t work until our new update is approved by Apple.
I want to apologize again and say that I’m incredibly sorry this has affected you and in many cases also your company. We’ve written a blog post with ongoing updates as we uncover the full details.
What is left for us right now is to complete our technical analysis and take further security measures. We will follow up with another update on this soon.
I want to invite you again to hit reply to this email or post a comment on our blog post. We will be sure to respond to you as fast as we can.
- Joel and the Buffer team
Man, this was great. You can see the entire masterwork by visiting Buffer’s blog (which is one every marketer should be reading, anyway).
Here’s what Buffer did right.
BEFORE the Hacking:
- They IMMEDIATELY — within an hour — alerted all users of the breach and didn’t try to hide anything.
- They sent a clear, easy-to-digest email that hit on all of the important points.
- It started with a real apology, not some “I’m sorry your account is hacked” fake-out.
- There were links (several) to the Facebook and Twitter pages. In a way, the company was inviting criticism — which they responded to personally as much as possible. This showed great transparency and social media awareness.
- They let us know what was safe, immediately answering the question, “Is my password and payment info safe?”
- Another apology.
- The invitation to respond directly to that email, along with the promise to respond to every message (wow!).
AFTER the Hacking:
- Admitted fault again, and also sympathized with the consequences of this disruption.
- Actually improved their security to solve the problem.
- Had a blog post that kept users up-to-date with what was actually going on.
- Responded to user comments on that post.
- Apologized profusely.
- Gave another clear, easy-to-read list of important items we needed to know.
- Provided another opportunity to respond via email or commenting to Joel & the Entire Buffer Team
Notice Buffer was keeping an eye on their service, and they let their userbase know within the hour about it. It’s very likely they had a “We got hacked” email ready-to-go just in case this happened. You might want to prepare similar messages if your site contains user data or could be hacked.
But what would you write? Buffer’s provided the perfect blueprint in their examples above.
So what’s the blueprint you can follow if your company gets hacked?
Greet your email readers with a general opening like, “Hi there,” not, “Hi FIRSTNAME.” It maintains the authenticity of what’s going on — a mass e-mail informing a lot of users about a hacking.
Begin by explaining why you’re sending the email. Make sure to apologize in the first sentence. Admit responsibility. Ultimately, even if some 15-year old in Canada is launching his army of bots to DDoS your site, you’re responsible in the eyes of your customers. Accept this gracefully. Express sympathy. You’re writing to humans, after all, and you’d better believe those humans are experiencing some emotions.
Say something soothing but realistic, like, “All customers may not have been affected, but you probably want to check.”
- Explain what the customers may want to know.
- Information like the safety of their payment info is essential.
- Use a clear, bulleted list. The better they can understand what’s going on, the more they’ll forgive you.
Apologize again. Then link to a page on your site where users can get the latest information.
Promise to make improvements so this will never happen again.
Let them know how to communicate with you, and make this method convenient for the customer. Make an effort to answer every single comment, email, and message. (Then make sure to do this.)
And then end the letter.
Everyone has problems. It’s part of Internet life.
But you don’t have to respond to those problems in a cowardly, self-damaging way. By bravely accepting responsibility, Buffer has made it much easier to love a company I already liked (and forgive them for some billing issues I’ve had in the past — which were resolved quickly, I’ll add).
Today’s Best Content Marketing Articles
- Do you think sales pages have to be “ugly”? Your inner artist will be thrilled to read the truth about what great sales pages CAN be. Your inner profiteer will be MORE than just thrilled.
- Maybe it’s because I could never quite figure out how to set it up correctly, but I never saw authorship as an essential SEO tool — just another game for short-term wins. And since having that little author photo on the search results page created a much higher click rate (and could be possibly deemed “unfair”), it only makes sense that Google is quietly backing off. You have to give it to the big G: at least they try to keep things as objective as possible and let content (not games) speak for itself.
- Want to make your business really stand out? You have to care, and you can’t fake it.