
Ask HN: Ex-Employer gossiping I “hacked” their platform – what to do? - _u844
I am really at a loss right now. I worked for a startup for two years and put my heart and soul into helping build the company as a senior manager.<p>I ended up quiting about 2 months ago to focus on relaxing during the holidays and spending time with my family (did not take a vacation) before seeking a less intense position.<p>Some old members of my team have come forward to inform me that their was a set of data breaches on the platform and the internal answer was to not announce it and put the blame on me. From what I am told their is no prooof other then a geo location that points to where I (and multiple other employees) live.<p>I reached out to the CEO and basically the first question whas who was it to leak this and then basicly a statement that the company did not accuse me of anything and there is nothing that can be done about the gossip. When I left the company I took every precaution to revoke my credentials and return my equipment promptly. I now know I can not use anyone at my current employer as a reference and feel these false accusation will greatly damage my future employment opportunities. I am currently have meetings with attorneys on how to protect myself but figured I ask the community if anyone has ever gone though this.
======
Juliate
Been there myself and seen it in other places too.

It can actually be a good filter, prospect-wise: a company that does gossip
about/blame an ex-employee for some of their failures is advertising their own
lack of agency.

If they were smart, they wouldn't gossip, and not even let the gossip go.
That's very bad strategy, both internally and externally.

If they're not, well, I can't tell you what to do.

What happened to me:

1\. first I spent several horrible months expecting my whole career to be
over;

2\. until I realized my ex-employer and its own reputation in the field was
totally irrelevant and could not harm much my reputation (or better yet, act
as a useful filter);

3\. when looking for employment, when relevant, I explicitly mentioned this
experience and what came with it, and what I was then looking for in a new
company/position/team, so that I was the first to pitch what did happen and
how I reacted to it.

It served me well. Those that listened to my story and took the time to
understand it turned out to be great teams to work with. Those that dismissed
me on the spot, well... I can't say really - but what I heard of afterwise
from ex-employees was kind of reminiscent. :)

~~~
germs12
This is exactly what happened to me. I went from being a model "A-player" to
"He was a C-player who needed to go". Don't think for 1 second the business
will ever compromise itself for you.

#3 is really important. Do not shy away from sharing your stories with your
potential new employer. It helps them better understand who you are. If they
care about you and the investment they are making in you, then they will want
to hire someone who is strong enough to stand up for something they believe.

~~~
dman
#3 can also backfire badly. Personally I would avoid it.

~~~
x0x0
If it's going to come up, either via references provided by the employee or
via a backchannel, you're smarter to directly address it in the interview with
the hiring manager. At least that way the hiring manager hears your side of
the story too.

We hired someone who came within a hair of (deservedly) being charged with a
felony by the FBI. He basically said he did something stupid 10 years ago, had
learned a lesson, made amends, etc. Had he not addressed it during the
interview, we would definitely have not hired him when it later came up during
a formal background check.

~~~
monoideism
> within a hair of (deservedly) being charged with a felony by the FBI. He
> basically said he did something stupid 10 years ago, had learned a lesson,
> made amends, etc

Was it a work-related alleged offense? If not, sounds a little extreme to not
hire someone because of an allegation that happened 10 years ago that they
weren't even charged with.

------
thrwaway999
A similar situation happened to me several years ago. My former employer
claimed I was involved in a data breach a year after I quit. The FBI raided my
home and questioned me for hours about what I knew. I was not involved and had
no knowledge of any incident.

I would strongly urge you to retain counsel with a criminal defense attorney
and seek to squash this as soon as possible.

When a company claims that someone, especially a former employee, is involved
in criminal activity, they will point guns at you and ask questions later. In
the eyes of law enforcement, you are presumed guilty.

~~~
f38zf5vdt
Yes, so some terrible truths:

1\. Talk to lawyers, who will probably tell you to talk to no one and to refer
LE/legal notices you get to them.

2\. Never reach out to your old company about this. You probably should not
have done this in the first place, since perversely asserting your innocence
often makes you look more guilty (since 'that's exactly what a guilty person
would do').

Basically, if this evolves into a legal matter it's out of your hands. Try not
to get anxious about this, since rumors at an old company are entirely out of
your control. If you're innocent, internal or external investigations should
prove so.

------
_u844
Op here, Thanks for all the advice, its honestly be helpfull and eye opening.

To clear up a few things.

\- The comments from the ceo were via text and more "I would of called you if
i thought you did something" and "ill talk to them but I dont know what more I
can do". TBH I was angry and not exactly cordial in my communication.

\- From what I understand the "hack" wasn't my credentials but someone logging
in near where I live with the CEO's credentials and changing some settings in
the admin. This honestly is what scares me the most... everything in the admin
is (or at least was while I was there) soft delete only with 5 minute interval
database backups. The action has a potential to rune my life but the actual
impact is basically a mild annoyance to the company... at this point I get
concerned about sabotage.

\- In terms of defamation apparently certain individuals though it be funny to
take where I live and put it up on one of the system monitoring screens for
the whole company to see. Currently I am seeking counsel to both protect my
self and see if this action is something that is worth responding to.

~~~
mkhpalm
Why would you know the CEO's credentials? Even if you did I would start
pointing that out very loudly. At least until any blamers backed back into
their holes.

~~~
PostPost
Yeah... geolocation or IP addresses can be spoofed. But if it was the CEO's
credentials, why in the world would you be getting the blame?

------
m-p-3
Looks like the kind of employer you might not want to use for references
anyway, but I'd gather as much evidence of that gossip as possible, talk to a
lawyer and have him/her reach the company to cease propagating these gossip,
which could as well be considered defamation. If they believe they're been
wronged and something wrong actually happened, then they should bring those
facts with proofs to back them up.

~~~
soared
I don’t think a lawyer will impact the water cooler.

~~~
ulfw
and it will cost you a ton. I love when people immediately jump to "lawyer up"
like that's just nothing.

~~~
bluntfang
lawyers cost money too. companies don't want to use their law resources for
something like this. sometimes a letter on a law firms letterhead with harsh
words is enough to at least get the company to take action. this probably
won't cost you more than $1k, which if you believe your career is at stake is
far less than future income.

~~~
Sanzig
Exactly - a scary letter should be enough to get the CEO to call the offending
employees into his office and tell them to knock it off, as they may be
opening the company up to liability. Any sane CEO will see that there's zero
upside to allowing these rumors to continue and plenty of downside.

------
citilife
I have been in the same situation a few times, even at the company I still
work at.

The truth is, it's in no one's best interest to drag this out. They'll do an
investigation and only if they have solid evidence will anything come of it.
In my case, I did nothing wrong and there was no evidence. Someone accused me
of something I didn't do or coincidence(s) led to me being investigated
(common in the area I work, actually).

Nothing came of it, because nothing happened on my end. However, it was a
nerve-racking experience. Especially, because you never know if something is
an accident or mistakenly evaluated.

In a case I'll share, we used a ruby on rails scaffold to create a web app.
Unfortunately, it had a mailer in there and looked like we could send emails
out. It wasn't active and all generic code "hello world", but you can see how
people freaked out. Luckily, those investigating dug into the code and
evaluated it, realizing nothing was connected.

In any case, if you did nothing, I'd put your odds at 99.9% chance nothing
happens. In the 0.1% chance the company does something, they'll have the
burden of proof and their customers will find out. Accusations do not prove
guilt. The company would likely be more harmfully impacted than you will and
you'll be able to provide a defense to the public record.

------
michannne
>I reached out to the CEO and basically the first question whas who was it to
leak this and then basicly a statement that the company did not accuse me of
anything and there is nothing that can be done about the gossip.

If it was a formal statement then you have nothing to worry about. If the
slander is getting to you mentally, you could seek legal counsel but sounds
like they can't actually do anything to you

If it was not formal, and there is a chance they can take you to court, then
you _need_ to get legal counsel, as you need to prep for defending yourself in
court. If, as you say, they should not have anything which points to you being
the malicious one here, then the hardest part is going to be the lawyer fees.

------
tiku
Well if they even acknowledge it to you in writing you are in the clear. If
they had real "proof" they would not have said this..

You could ask them formally to stop the slander and inform them that you will
take legal action if you receive any more word of these rumours..

~~~
alpb
Lawyering up just in case might be wise.

------
throwaway527694
I don't know if this was your intention, but you posted this under your real
name. Under the same account you posted an article that gives away your ex-
employer.

If it is intentional, then why not say the company in the post?

~~~
trhway
interesting coincidence that their product can be viewed as basically a
professional gossip platform :)

------
pulse7
One can hardly prevent gossip. You can do everything perfect and still get
gossip... I would just move on and do quality work in another company...

------
stuaxo
Get someone to ask them for a reference for you and see what it says.

~~~
9nGQluzmnq3M
Assuming this is in the US, it's exceedingly unlikely the company would risk
putting a negative reference in writing. OP is unlikely to get more than a
confirmation of dates worked though.

~~~
tyingq
Many companies will share "eligible for rehire" status.

~~~
scandox
Is that legal in the US? And what is the sharing mechanism? Word of mouth?

~~~
tyingq
Varies by state, but legal in most places. Big companies have automated
reference checking. Via truework or theworknumber, or similar. Which can also
verify salary...urgh.

[https://www.nolo.com/legal-encyclopedia/free-
books/employee-...](https://www.nolo.com/legal-encyclopedia/free-
books/employee-rights-book/chapter9-6.html)

~~~
FDSGSG
>Which can also verify salary...urgh.

This seems so vulnerable to data entry mistakes that such data might just be
completely useless.

What happens when stated salary doesn't match salary verifier numbers? Do you
just not hire that person?

~~~
ghaff
Salary means a lot of different things anyway. If someone asks me (and I need
to provide something), I'm going to put down some rough total comp number
that's at the high end of what I earn in a typical year. It's not going to
match whatever is in the system as my nominal "salary" which really isn't all
that relevant.

~~~
tyingq
It is still irritating, because current salary shouldn't drive anything about
proposed salary. Employers should have to provide low/median/high for
employees of the same title in exchange :)

------
reilly3000
See if you can get them to demonstrate their false accusations by getting them
to state that to a reference. Without that, you have no material damages to
show, with it you have a case. Talk to an attorney. I’d be surprised if they
would be so foolish as to try to wreck your future employment prospects over
something you didn’t do.

~~~
theli0nheart
The OP likely already has material damages to point to. Reputation loss falls
under speculative damage, as loss of a business or job opportunity may happen
in the future due to his previous employer's actions.

As others in this thread have advised, hire a lawyer and discuss what your
options are.

------
morpheuskafka
You should ask your friends if there is any hard proof of such a statement,
like an email. If so, that could potentially be grounds for a defamation suit.

------
davismwfl
I never had an old employer accuse me, but I did have a consulting client do
almost exactly the same thing. It boiled down to a few people at the company
that didn't like that we pointed out a lot of security issues on things which
were not our direct work but was theirs. Basically we found a few major holes
in a couple of their systems we had to do some integration work with and we
documented the holes and gave it to the company as part of our deliverable.
Well like after 6 months post our exit they had a breach through one of those
systems. One of the PM's and a couple of devs accused my team of the breach
because someone had used one of the open doors we identified. Literally they
had an open port through the firewall to a database system that was
unprotected (no password even) and had client data in it, yea Mongo's stupid
default no user/password back then.

Essentially I did the same thing you did, reached out to the CEO, he denied
they blamed me or my team and said there was nothing he could do about a few
"bad apples" running their mouths. I disagreed and pointed out that what they
say in a professional capacity about myself or my team as a result of our time
there was something he can and should concern himself with. In the end, I did
what everyone here is telling you, get a lawyer. It cost me ~$500 to protect
our name and put an end to it, essentially we sent a cease and desist letter
and a some wording on potential damages given our work and what was being
said. That letter only got one response which was they had addressed the
employees and agreed my team had nothing to do with their breach. That was all
I wanted, and it is what you should get because if it ever comes up you can
show that to whoever asks. Took less than a week to resolve and we did work
for that company again like 2 years later, guess who no longer worked there,
the "bad apples" were all gone, but most of the rest of the team was still
around including the CEO who brought us back. So it didn't cause us any damage
long term with anyone other than we probably pissed off a few people that were
already running their mouths a bit.

One last point. I have had people bad mouth me for a number of things over my
career. Not once did it ever really hurt me professionally, mainly because I
had a track record showing none of what they said was true. As a consultant I
had lots of people pissed saying we were there to displace them, replace them
etc etc (even old developers saying that cause they had ancient skillsets). I
had articles in a few papers how we were destroying jobs through automation of
services of a long term employer in a small town. None of it hurt us, it hurt
our pride/feelings a little cause we knew what they were saying was false, but
in the end none of it ever affected us professionally. In some cases it
actually helped us get other work partially because people saw we didn't react
and get defensive or go off the deep end. I am not advocating you don't defend
your professional reputation, but just realize there is a time and place to,
and a time and place to just let it drop.

~~~
zer00eyz
OP this is what you do... Lawyer up and get them to throw paper.

This is outrageous, and they are going to respond with "we took care of it"
and that letter is now GOLD.

I also want to back up what the above poster said about being a consultant and
folks badmouthing you. It is much less meaningful than you suspect or think,
and in some cases it can be a good thing.

------
hnbreak
Been there many times and I think, that it's a bit normal when leaving a
company/a powerful position within. People blame always the leavers for their
own mistakes or being in a crappy company. Then, the biggest challenge is to
let go and accept that you cannot do anything. Of course you could 'fight
back'. And tbh, I still don't know what's better.

Fighting back is a hassle, proving defamation is hard, getting lawyers is
expensive, suing and the following process can take years. And the outcome?
From an economic view, it's always a no, also the distraction from stuff that
really matters, for what? Fighting is great, some like it a lot, but it costs
so much energy. Moving on feels more sane. However, in the long run, there's
always a bitter aftertaste, just an odd feeling that you lost a fight. This
feeling will stay with yout for quite some time but it is often just in your
head. Maybe the thing you are worrying about is not that big and not worth
thinking one more sec about. You just don't know.

If there's a fool-proof way to fight + win something significant + in a short
time frame, fight. Otherwise, get busy, get on new projects and once you are
on a better position/in a new company you forgot them anyway.

So, asking us was a good first step to get a bit busy, get an achievement
(getting on the front page) and out of racing thoughts. Now, keep on, write
the next Ask HN about some tech, ask 10 peers for a coffee after new years
eve, build a gaming pc, do whatever keeps you busy.

Edit: Not sure if you can trust the CEO but from what he wrote he sounds
ok/friendly and he doesn't care (which is good, because if one of them would
decide to sue you it would be him).

------
thrownaway954
See if you can get your friends to put their statements in an email or text
message. After that, consult a lawyer with the evidence and perhaps sue for
slander. I wouldn't take this lightly. This could damage your changes of
getting a job in the future if a potential employer calls them.

------
ohyes
Announcing that they're so incompetent that they failed to revoke a former
employee's credentials is pretty dense.

Talking to lawyers is the right thing to do. You don't want this gossip to
become a legal issue for you. Collect detailed notes on when and where you
turned in hardware, when / what credentials you had revoked, and to whom you
delivered these things and informed about them. Just because you didn't
perpetrate the hack doesn't mean that someone else wasn't using your hardware
for something nefarious. I normally insist that a work laptop be wiped
(obviously with all relevant work product handed off first) _before_ i turn it
in.

------
craftinator
Legal protection is a great start. I would also say that most hiring managers
understand that there are crappy companies out there, and that doesn't mean
that all employees coming from them are bad news. I'd suggest for future
interviews using the company as a reference, being direct that there was a
issue with workplace culture and that you are excited about the culture of the
prospective company. I would also recommend having some notes written down
about the issue in the case that the hiring manager brings it up; if they know
about it, they will probably ask, and if not then they probably never will.

------
reaperducer
Wow. Something similar happened to me a while ago, and I'm surprised and
relived by the replies in this thread to find out that I'm not alone. I
thought it was just me.

My advice: Ignore it. There's enough churn on both the company and personnel
level in the industry that it will all be soon forgotten. Tech is not a close-
knit group of people who know other people. It's millions of people joining
and leaving companies, and hundreds of thousands of companies Opening and
closing each day.

The gossip is just bird poop in the paint can. Eventually after enough
stirring it will disappear.

------
honkycat
Have your attorney contact them.

The CEO should issue you an apology and they should make an internal
announcement explicitly stating that you are not suspected of any wrongdoing,
and that it is wrong to accuse you further.

------
newnewpdro
Are you sure you're not just overreacting over what's essentially tongue-in-
cheek internal speculation based entirely on coincidence of your departure and
the breach?

------
harrisonjackson
There's already some good advice in the thread for the OP.

I'll add-on that this should not have been an issue in the first place. The
company should be protecting their customers better than this. It is already a
failure of the process when employees are _maybe_ revoking their own creds on
the way out. Not to mention what other issues actually led to the breach.

I'd also suspect a current employee (I feel sick even typing that out) before
one that has moved on months ago.

------
ww520
That sounds horrible. It might be best to talk to a lawyer, just in case.

In my case, a former client accused me of not giving them the source of a
product released earlier. The old product was in the git history after a
pivot, which I had given instruction on how to get back to a release tag.
Luckily I could quote old emails that I sent to them.

------
lidHanteyk
In he-said-she-said situations, have a good story. Deflect:

> Ha, yeah, I did no such thing, but they certainly want a scapegoat, don't
> they? So, when I was there, lemme tell you about their data security
> practices...

Gain empathy:

> Right, it's understandable that they'd want to blame _somebody_. And who
> better than me, walking out the door, going to spend more time with my
> family?

And minimize:

> But yeah, there's no real meat to their complaint. No attorneys or anything.
> They're just upset that they got caught shirking their legal
> responsibilities.

You might be able to hand-pick a reference from your old team, but you're
right to not automatically volunteer your old manager's contact information.

I have to be good at telling stories like this. My first employer used legal
strongarm tactics to disenfranchise me of thousands of commits of code, and my
second employer tried to pin a sexual-harrassment claim on me and then fired
me after I asked their head of HR to follow the law. Employers are dicks. Tell
a story that lulls them to sleep.

~~~
matt_the_bass
I disagree with your 1st suggestion. When hiring someone, I expect them to
have a clear, concise, mature explanation. Gossiping in response with “lemme
tell you about their...” is a big red flag to me. I don’t want to hire a
blabber mouth. I think an appropriate answer is more in line with your second
and third comments. I think it is fine to say “I left months before they had
this problem. Perhaps they are looking for a scape goat and I’m convenient.
I’d be happy to discuss my opinions of security design in general, but I won’t
discuss specifics of what was done at that company while I was there. I may
not have agreed with their choices. I’ve made the choice to leave there”

------
Ice_cream_suit
[https://www.fastcompany.com/90304317/a-male-ctos-lessons-
on-...](https://www.fastcompany.com/90304317/a-male-ctos-lessons-on-working-
with-female-majority-team)

"5 things I’ve learned working with a women-dominated engineering team"

Make that six things that you have learned...

------
sys_64738
You need a lawyer to send a cease and desist letter for defamation.

------
matsemann
> was a set of data breaches on the platform and the internal answer was to
> not announce it and put the blame on me

In Europe this could be a violation of GDPR not to report it. If so, they
would hurt themselves more by spreading this.

[https://gdpr-info.eu/art-33-gdpr/](https://gdpr-info.eu/art-33-gdpr/)

------
lostcolony
So in the US, for software engineering jobs outside of DoD related stuff...I
have yet to be asked for references (even then I don't think I was for being
hired, just for the clearance, and that was more personal than professional).
I would actually view being asked for them as a warning sign, given how
useless they are (speaking as a hiring manager).

I wouldn't worry about it from that perspective. If you need to you can point
out that the company hasn't spoken to the police even when you reached out to
them with concern over it, or retained legal counsel, or etc...but chances are
really good it's going to be a non-issue for future employment.

If they _do_ eventually reach out to police, and assert it was you, it will be
more interesting. That said, it doesn't sound like the kind of thing where
they'd have a particularly compelling case.

~~~
jacekm
Same in Poland - I've never heard of anyone asking for references here (at
least not in IT). You need to bring some paperwork from the companies you
worked for in the past, but it's for administrative purposes only, you do this
after you are hired.

