Yahoo were aware of the leak at most 45 minutes after it leaked. Damage control wasn't deployed until a day later. This is their fault. They could have nipped this in the bud by getting a decent blog post out within an hour, and contacting any news outlets who'd already run with the story.
Legally they have to reply in 20 days, though that's not exactly well enforced. One day is still quick, they were likely looking for a good outlet to announce what happened.
Coming up on 2 months since they hired Holder to investigate. I wonder how long that sort of thing usually takes. I assume they would want to get whatever press release that goes with that out of the way soon, to group all the bad news in the shortest cycle.
Can we get a little perspective? It's been less than a day since this came to light.
How about giving the people who are investigating a reasonable amount of time to investigate what happened, ferret out who is responsible and and figure out how best to move forward?
You can't have it both ways. They were transparent. Complaining that it was 3 days after the incident is irrelevant since we don't know how much investigation was required for them to understand the problem.
It's likely that it was fixed sooner than that. I would bet they gave it 7 days before he could talk about it, so they could audit the rest of their site.
For what it's worth, all reports and screenshots of this seemed to have happened within the same hour, so it might've been fixed quickly. I definitely would expect this to get a public postmortem within 48 hours, though (maybe Cloudflare has ruined my postmortem timeline expectations).
This doesn't look like a post mortem - it is a quick reaction/apology the day after and promise of a post mortem. It doesn't seem unreasonable that they need more time to dig in to the root causes.
reply