Responding Properly: External Communication

While you are sitting in a channel with a bunch of people who are trying to identify and fix the issue at hand, it’s easy to forget about communicating what is happening to the outside world. However, this is one of the most important elements.

How you respond to an attack can literally save people’s funds or cost them. Waiting five minutes or five hours to warn your users could be the difference between $100 stolen or $100,000. A single wrong word in your tweet could result in more funds being stolen… or less. This is why it’s massively important to have a plan, never post a message without having someone else review it, consider the unintended consequences of your message, and don’t let your panic (or ego) overwhelm your common sense.

Where to Communicate

First, realize what you can and can’t do. If you are short-staffed, you only have the resources to update a single channel. Twitter is usually my recommendation as it allows you to be very short, is public, is easily linkable, and is (hopefully) a trusted source of information associated with your company. If this is the case:

Post your initial message / warning / alert / PSA to a single channel. Include that you will be only monitoring and updating this single channel in the short term. Post across all other channels to this single (public) point of reference. Provide updates via that single channel as things develop.

If you don’t have the time to post across all the channels, ask others to do it for you. People love being helpful and will step up to the plate if you give them the opportunity. Don’t be scared to ask for help, even in public. That said, you don’t want to ask them to speak on behalf of your company or ask them to communicate a specific update. Instead, use them to direct people to your official communication source:

“We will be posting frequent updates on our Twitter. If anyone sees confusion or misinformation on Reddit, Telegram, Discord, etc. please direct them to our Twitter. Thank you!!”

Ideally, you will have a few people on your team to help monitor and communicate across multiple social media channels. If you don’t have the proper people on your team, think about who you would ask to help out in a situation now. Think about leaders in this space, people with large social followings, people who are security-minded, people who communicate clearly and responsibly, etc. Grow your network and connections today.

When to Communicate

The “when” is going to depend entirely on the situation at hand. The biggest question that needs to be answered is, “Will communicating this now prevent more loss from occurring?”

It doesn’t matter how much loss. It doesn’t matter who is to blame. It doesn’t matter if you discovered a bug that isn’t “in the wild” or if you are under active attack. It doesn’t matter if it will make your brand look bad. It doesn’t matter if you aren’t entirely sure how big the compromise is. If communicating externally could save one person any amount of funds, you should communicate externally immediately.

Examples include:

Your website was compromised.

There was a bug in your code that could result in lost funds.

Your DNS was hijacked.

Your users have reported a phishing email that appears to be sent from your email address.

Your support system was compromised.

An extension unrelated to your company was compromised that targeted your users.

A news article is sending people to a phishing version of your product.

The only time you should hold off on communicating publicly in the short term is if there is nothing any person could do to save their funds or if alerting the public to the issue would in itself cause more loss.

The Parity multisig hack is a good example of the latter. If you knew that the multisigs had been hacked, you knew there was a bug in the code that could be exploited, and it was suddenly trivial for you to recreate the attack. This would have created more loss. So, instead of immediately releasing all the details, the people closest to the issue opted to share information via more private circles and let it ripple outwards from there. That said, the first official public statement about the attack was made about an hour after the discovery, not days or weeks later. The goal was to get a head-start, not to pretend an incident didn’t occur or lie to the community.

Don’t run around and spread fear. Stop, drop, and think before you speak.

How to Communicate

The first public statement you make is probably the most important piece of the equation. The perfect message accomplishes a number of things, but the primary goal is to save users and/or their funds. Therefore, we should look at it from a user’s point of view, not your point of view. A user doesn’t care what, why, or how it happened during this initial message. As a user, I should walk away knowing:

Am I affected by this? How can I know if I am affected by this? If I am affected by this, what should I do now? If I am not currently affected by this, what should I do, or not do, to prevent myself from being affected by this?

The message should be very careful not to directly or indirectly cause more loss. Therefore, it’s always good to lead with who is affected rather than what “being affected” results in or why it happened.

Consider the following example:

“URGENT! PSA! Our website was compromised and user funds are being stolen!!!!!!! Do not visit [link to our website]!!!!!!!!!!!!!11!!!!”

Problems:

It doesn’t tell anyone who is affected or not affected by the issue.

It scares people. Scared people act irrationally.

It links to the website that you don’t want them to visit. Pro-tip: scared people will click links before processing instructions, resulting in more loss.

want them to visit. Pro-tip: scared people will click links before processing instructions, resulting in more loss. It doesn’t tell people what to do.

Using the words “our website” is better than a link. Even better is purposefully breaking the link (e.g. “mywebsite[.]com”.) This is especially necessary if you have multiple websites or products, but only one is affected by the situation.

Another example:

“WARNING!!! DON’T ENTER YOUR SEED ON OUR WEBSITE TILL THE FURTHER NOTICE!” [huge image of big red warning symbol]

Problems:

It doesn’t tell anyone who is affected or not affected by the issue.

It scares people. Scared people act irrationally.

It doesn’t tell people what to do or where to go for more information.

or where to go for more information. It’s grammatically incorrect, contributing to confusion.

A last example:

“Urgent! If you have [popular chrome extension name] chrome extension installed AND used [website name] within the last 24 hrs, please transfer your funds immediately to a brand new account. How to do this: [link to knowledge base tutorial]”

Getting better! This clearly identifies who is affected by the issue and gives those people an action to take to prevent further loss. Be prepared to answer clarifying questions in the responses ASAP.

External Communication: Someone publicly reported an issue with your product

Here’s another scenario. Let’s imagine someone discovered a vulnerability or issue with your product and has decided to inform the public, whether or not they informed YOU first. Their report may be inflammatory or it may contain false information. It’s easy to react emotionally and directly to them and their post.

It’s more productive to create a response that stands alone and deals with the security incident directly. Remember, your primary goal is to save users and/or their funds. When responding, remember:

Don’t deflect. Own it. It’s an issue with your product, regardless of who or what is ultimately to blame.

Don’t attack, dox, or belittle the person who reported the issue. Thank them graciously and sincerely.

Determine and explain who is affected, how they can determine if they were affected, what exactly they should do now .

. Determine and explain who is not affected.

It is uncomfortable to be informed that something is wrong with your product and that this issue has resulted in users’ information or funds being stolen. It can get especially difficult when the bug reporter has lost funds. They are in a bad place and are not communicating ideally. It’s your job to deal with that graciously: