Reddit's hack made international news today. In June, the business discovered that its systems had been compromised via staff accounts, providing hackers with access to data from 2007 and also 2018.
So how did the company respond from a crisis management perspective, and what lessons can we take away?
What Reddit has done well
A detailed summary of the breach, and it's various implications, was posted on the Reddit site. It's clear that Reddit is taking this breach very seriously and has made some immediate changes to avoid this happening again. The communication is very transparent and honest, which will promote trust, and the language is nicely down to earth too.
They've made commitments to directly contact users who were impacted by the 2007 breach, which is a firm step in the right direction.
And not so well...
While the post mentioned above did lots of things well, it did two things quite badly:
- It used some language, in very critical places, which was unclear at best. For example, the post explains that "the most significant data contained in [the files breached from 2007] are account credentials (username + salted hashed passwords)". Reddit's very active user community has repeatedly questioned what on earth "salted hashed passwords" means. Does this mean the passwords were somehow obfuscated? If so, that might be reassuring. If not, is Reddit saying that username and passwords are out there in the hands of hackers? Those two outcomes are really quite different, so being so vague in this important sentence has caused more confusion than was necessary.
- It downplays the significance of the 2007 breach in a couple of ways. The post explains "all content (mostly public, but also private messages) from way back then" were part of the breach. The way back then wording really gets me. This language is dismissive, and suggests that private messages from so long ago shouldn't cause any dramas. That's down to the user to decide, not Reddit. The post also suggests that users should reconsider their password strategy if they're still using the password which they had used back in 2007. Again, this hack is Reddit's responsibility, not the users. Most people understand that passwords should regularly be changed, but this comment seems a little arrogant at this time.
In addition to the above, media such as the BBC have widely criticised Reddit for its lack of proactive communication around data compromised from 2018. The company chose to put the onus on its users to take action here. Due to the nature of the breach, Reddit is right to encourage users to look back on their posts, which they would have written on the understanding they'd be anonymous, and reassess whether or not they should delete that content knowing that it could, as a result of this breach, now be linked back to them. That said, Reddit has chosen not to proactively email all users to explain this. Instead, the company has assumed that it's single post on the company site provides users with all the information they'll need.
Lessons to take away
Crisis communications and crisis management is always going to be tricky, and there are lots variables to consider when creating your crisis management plan. But let's take these lessons from Reddit's hack:
- Be transparent and honest in your communications, and always use layman's terms to avoid assumed knowledge.
- Be clear on your commitments to change - your community will respect you for making changes that avoid repeated mistakes.
- Consider the incident from your users perspective. What might it mean for them in a worst case scenario? Pitch your content appropriately with that in mind.
- Communicate proactively across multiple channels. A landing page on your website, which includes links for those wanting further help, is essential. But also post via social, and proactively contact your audience via email too. If you chose to only communicate proactively with a subset of users who you know are affected, you can be sure that other stakeholders will hear about the issue from other sources - likely the media - and will wonder why you didn't get in touch with them. Are they not important enough to receive a courtesy note too?
If you have any questions about crisis or issues communications and management, or are interested to hear about our approach to crisis planning, please get in touch - firstname.lastname@example.org
A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.