[Editor’s note: A big THANK YOU to colleague Phil Cogan for bringing this story to our attention! If you have a topic that might be a good fit for this blog we’d love to see it, drop an email to erik@bernsteincrisismanagement.com any time.]
Having less-than-ideal security in place to protect user accounts is bad, but knowing that seven million of those accounts have been breached and not informing those affected is so very much worse. This was exactly the case when popular Minecraft community site Lifeboat was compromised, and the repeated fails along the way make this case a premiere “how NOT to” example.
On top of using one of the weaker encyption methods to hide login info from prying eyes, Lifeboat also advised (and continues to advise) users to create short passwords in its “Getting Started” guide:
By the way, we recommend short, but difficult to guess passwords. This is not online banking.
Once it did discover the breach, Lifeboat decided to not inform users that their information had been compromised, instead opting for an unexplained site-wide password reset. Lifeboat still has not released any type of official statement, which means we’re left guessing at their reasoning. One might suspect that the powers-that-be over there are running with the idea that, since no financial or other information typically used in identity theft and similar crimes was taken, they’re in the clear. While in a vacuum that may make some kind of sense, everyone is well aware that people use the same password across multiple platforms despite warnings to the contrary. There’s simply no excuse for not telling your users that there may be cause to change their login info at other sites beyond Lifeboat itself.
Hacks happen. It’s how you handle them that will determine whether your stakeholders make a cautious return or run in the opposite direction.
The BCM Blogging Team
www.bernsteincrisismanagement.com