

Ask PG: What steps would you advise a company to take after leaking passwords? - wooter

If one of the YC companies leaked half of their user's hashed passwords and immediately asked you for your advice on what to do, what would it be? What if they had low security standards?
Would it change if the company was bigger? (even public?)
======
pg
Apologize, explain what happened, and fix the bug(s).

------
jnorthrop
The typical advice to contact the users is good public relations advice, but
we all need to remember that there are strict data breach notification laws
throughout the US (46 different laws in 48 states)[1] and in many countries
around the world. If you know you've been breached and suspect personal data
has been stolen you need to get yourself a lawyer. These laws are complicated
and professional help is definitely warranted.

[1][http://www.ncsl.org/issues-research/telecom/security-
breach-...](http://www.ncsl.org/issues-research/telecom/security-breach-
notification-laws.aspx)

------
opminion
It happened:

[http://web.archive.org/web/20070311083012/http://reddit.com/...](http://web.archive.org/web/20070311083012/http://reddit.com/blog/theft)

------
glimcat
My first thought is to force a password reset via email on the next login.

~~~
jeffool
I have to say I'm pretty amazed I haven't gotten an email from LinkedIn yet
about their leak. Craziness. They seem to have no problem occasionally
changing the setting of my "send me emails updating me of my networks" option.

