Dropbox got hacked a while back. So the company emailed affected users — and hid the news. Burying the lede* is counterproductive; it just makes people work harder to find out the truth. Good writers get to the bad news quickly and frankly, then move on.
Here’s what happened: In 2012, somebody stole 68 million Dropbox usernames and passwords. Dropbox found out a couple weeks ago. The file is “hashed,” which means you’d have to break encryption to get at the data, and there’s no indication that anyone’s account has been hacked. But as a precaution, Dropbox is requiring that people with old passwords change them, and has emailed users to explain.
Finding the Dropbox news is a scavenger hunt
Here’s the email that Dropbox users with old passwords received:
Resetting passwords from mid-2012 and earlier
We’re reaching out to let you know that if you haven’t updated your Dropbox password since mid-2012, you’ll be prompted to update it the next time you sign in. This is purely a preventative measure, and we’re sorry for the inconvenience.
To learn more about why we’re taking this precaution, please visit this page on our Help Center. If you have any questions, feel free to contact us at email@example.com
If you got this email, you know something happened, but what? It’s like a scavenger hunt for news. So you click on the link and see this:
I’m being asked to create a new password on dropbox.com—why, and what should I do?
The next time you visit dropbox.com, you may be asked to create a new password. We proactively initiated this password update prompt for Dropbox users who meet certain criteria. Specifically, we’re prompting the update for users who:
Still no reasons, just the weasel words “proactively” and “certain criteria,” which seem vague but menacing. So you scan the page. One-quarter of the way down, 160 words in, you finally get to this:
Why did Dropbox prompt this password update?
Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we recently learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. . . .
Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in.
The language here is moderately clear and direct, although the word “breach” appears nowhere. If this passage was at the top of the email, I’d be praising it for directness. But instead, users who care need to dig through an email and partway down a Web page to get the actual news. (Or they can Google it and read somebody else’s version of what happened.)
There’s no evidence that Dropbox was compromised, but that’s no excuse. If you have a breach, you ought to be clear about what happened.
How to deal with bad news
The Iron Imperative says “treat the reader’s time as more valuable than your own.” If you have bad news to deliver, this means delivering it quickly, and up front. The more hoops the customer or reader has to jump through to find it, the more you are communicating “You cannot trust us to tell the truth.”
In this case, here’s what Dropbox should have written in the email:
If you have an old Dropbox password, here’s why you need to reset it
If your Dropbox password is more than four years old, you’ll have to reset it. We’ll prompt you when you log in.
Here’s why: we just found out that somebody stole a password file of ours in 2012. Because of the way that file was encrypted, we don’t think anyone can get the actual passwords out of it, and we have no evidence that any accounts have been breached with this information. Even so, as a precaution, we’re asking you to reset your password if you haven’t changed it in the last four years.
For more detail, see this page on our site or email us.
The result is exactly the same as the other email — except that it shows quickly that Dropbox is coming clean about the problem.
* About “burying the lede”
The problem of hiding the big news is called “burying the lede.” “Lede” is newspaper slang for the opening sentences of a news report, and it’s spelled that way to avoid confusion with the word “lead”, which you can misread as meaning the heavy metal. (As I learned from my grandfather, a linotype operator for the old Philadelphia Bulletin, newspapers and other publications used to set type in lead — the metal. Newspaper people wanted to avoid confusion between “lead type” and “buried lede”.)
Regular people who have nothing to do with journalism talk about “burying the lead” (pronounced “leed”, of course), which means exactly the same thing. Believe it or not, I agonized about which way to write this in the book, but after a moderate amount of Web research and contacting smart people by email, I settled on “lede.” No matter what I do, half the people will think I’m wrong. But now your day is a little richer because you’ve learned a little more about journalism slang and my grandfather.