Here’s the email they sent out letting me know about it:
Dear Sunrise User,
We have been informed that our database provider (MongoHQ) has experienced a security breach. In handling security incidents, our priorities are to make sure your data is safe, eliminate the control failures that allowed the breach to occur, and to report the incident accurately to our customers.
Here is what it means for you:
- Your Google, Facebook and Twitter data are safe. We’ve refreshed the identification key that allows our servers to communicate with your connected accounts, which means any data that could have been taken by a malicious party is useless before or after the incident.
- Your LinkedIn, Foursquare and Producteev data are safe. You’ll just have to reconnect those services to Sunrise, as they don’t offer the same security control as Google, Facebook or Twitter.
- If you chose the “Email” option to signup to Sunrise: your Sunrise email and password are also safe. We encrypt them in our database using the industry standard algorithm (bcrypt).
- If you connected an iCloud calendar to Sunrise, even though we don’t store any credentials, the security breach may have put some of your calendar data at risk. As a precautionary measure, we recommend that you change your iCloud password and reconnect it to Sunrise: simply click here and then click on “Reset your password” to do it.
- As one of the many precautional measures we are taking, we will be logging every Sunrise user out of the app. Simply log back in using the “I’m Already a Sunrise User” button and choosing one of the options that you had previously connected to your account.
- Just to be clear, none of the data affected by this incident has any access to your credit card or banking information.
If you run into any trouble or if you have any questions, please email us at email@example.com. We are here to help.
We are incredibly sorry that this happened. Your security is very important to us, and once we were aware of the issue we took immediate steps to protect you and maintain your trust.
Just like with Buffer, let’s take a look at how well the Sunrise team did.
Sunrise didn’t quite match Buffer’s one hour email time. The MongoHQ breach happened on October 28th. Sunrise sent this email to me on November 2nd at 10:15pm Central Time.
I understand that it might have taken some time to confirm Sunrise was a victim in the MongoHQ breach. There’s a balance between a fast response and a helpful response. Just keep in mind that the quicker you can get information to your customers, the better.
Sunrise nails this with their email. I love the section detailing exactly what this breach means for me. Notice the constant reference back to your data being safe. That’s my main concern at this point. By addressing it head-on and putting it in bold, I easily see it with my first scan of the email and relax a little.
They also give a direct email address back to their support team. It’s easy to find just in case I need some questions answered.
It would’ve been nice to have the link back over to their blog post in the email. That would give me an easy place to check for updates rather than constantly watching for another email update or such.
Overall, the Sunrise team did great
It’s been a tough time for anyone caught in the MongoHQ situation. Security breaches are never fun but like with Buffer, openness and transparency keeps customers loyal to you. That’s why I’m still sticking with Sunrise. They told me what happened and how I was impacted. Openness and transparency wins every time.
Have you seen any other companies handling security breaches like this really well?