Article Lead Image

Illustration by Max Fleishman

We apologize for the data breach

It should never have happened.

 

Nick Douglas

Internet Culture

Posted on Jul 30, 2016   Updated on May 26, 2021, 9:05 am CDT

Dear SafeCorp users,

By now you have heard about the data breach that exposed our users’ private information to hackers, to the U.S. government, and to the public. We are sorry, and we are embarrassed. But especially sorry. Although almost equally embarrassed. But not quite as embarrassed as we are sorry.

Your data is precious, and we did not take sufficient measures to protect it. We know that now, and we know we should have known all along. We shouldn’t have declared ourselves the “industry leader in data security” and “way more serious about data security than our competitors” and “just nuts about data security, really insane, like if data security is a crime then lock us up, but good thing it isn’t, because we’re ga-ga for data security.” We really thought we had that stuff down.

We were fully confident that when we issued our “Security Breach Challenge,” offering a million-dollar prize to anyone who could hack our site, that no one would succeed. We were confident enough to issue the challenge during a public tour of our data center, to which we handed out invitations during DEF CON 2016, in the form of “golden tickets,” each bearing an employee’s iPhone passcode. We now see our confidence was unfounded.

We regret storing our users’ usernames and passwords in plaintext, in a shared Google doc. We regret printing out that Google doc, then printing coupon fliers on the back of that printout to save paper, then distributing those fliers by aerial drop over the Kremlin.

We regret testing our Facebook Live account by reading our users’ security questions and answers in a monotone, as if we were memorializing the dead, then carving those questions and answers into a granite block in downtown Manhattan.

We regret activating an always-on “share my location” feature, on an opt-out basis, announced only by a whisper into a warm glass of milk by a sleepy child. We regret changing our company logo to a regularly updated, algorithmically generated map of the “most surprising user locations.”

If we had avoided these missteps, we likely would not have suffered such a serious breach, one that resulted in the exposure of user identities, preferences, behaviors, and “star potential.” And we likely could have contained the breach at that point, had we not tweeted “Come on you bastards, is that all you’ve got? We personally invite Anonymous and LulzSec to test their might, for our (1/2),” or, thirty seconds later, “(2/2) truly important information remains impeccable and virginal, untouched by human hands, like Wonka’s chocolate,” or “(3/2 sry) and you script-kiddie filth can only dream of violating our sanctum with your leprous tendrils!” But, as has been widely reported and testified under oath, we did accidentally let that tweet slip out, though it was meant only as a draft, and for that mistake we lay the blame squarely on the confusing UI of TweetDeck. We still share the blame for the second wave of attacks that revealed our users’ social graphs, private messages, “deleted” posts, and a groundbreaking artificial-intelligence prediction of their spending habits over the next three years.

Thus, after the breach, when users questioned our security methods (and after we tweeted “LOL looks like someone believed an Onion article” and then respectfully deleted that tweet), we divulged the above missteps immediately after a public outcry, CNN investigation, federal inquiry, Congressional hearing, class action suit, multiple appeals, Supreme Court decision, and a dedicated visual album by Beyoncé Knowles.

Our thoughts are with our users as they sit down for hard conversations with their wronged spouses and children, hopefully uninterrupted by the SWAT teams responding to prank calls from 4chan. Our hearts especially go out to our pro users and whichever customers they have somehow convinced to stay. We take full responsibility for every hardship our users have faced: the harassment, doxing, extradition, denial of service, kidnapping, long hold times, data loss, cold calling, name calling, and forced Microsoft Silverlight download.

Please do not hesitate to reach out to us with your request, complaint, or threat. Our staff can be reached by writing their names on the wings of a dove, then releasing that dove over a body of water, pointing it toward the U.S. Virgin Islands, and crying after it, “Godspeed to you, my glittering saviors!” If a dove is unavailable, please visit us in person. You may arrange an appointment by dove.

Unfortunately, we will be unable to refund all auto-renewing memberships.

With our utmost and very real apologies,

SafeCorp

Share this article
*First Published: Jul 30, 2016, 11:00 am CDT