I like that this time there was an email sent to everyone identifying all the different conditions/categories of people affected (or not). I see this as a step in the right direction and something that everyone was asking for to be done differently for any future issues, so it is good to see this now. Thank you for listening to our feedback requesting you do this in the future (I certainly [strongly] requested this in the past, so thanks), and deciding to implement it.
I also appreciate that you didn’t postpone sending this and didn’t decide to wait until normal business hours to send us your results (ie: Tuesday Morning). You told us you were doing a full investigation and would tell us the results as soon as you could give us the facts. I guess your “as soon as” was totally literal because you finished the investigation and even though it’s the middle of the night on a weekend night going into a holiday, you sent out the message now anyway because it was ready and felt you shouldn’t postpone it. That’s encouraging. There may be some people not happy about middle-of-the-night notifications, but I think it was the right call for something like this (besides, who doesn’t know how to use do-not-disturb, especially for something like emails while they sleep?).
While this was serious enough that working through the holiday weekend should be a given (especially for fixing things), I am still glad that you worked through the holiday weekend and late into the night and being thorough enough with the investigation that you identified every single account affected and every account that had a wrong thumbnail/event and every account that clicked on an event. The thoroughness is appreciated and letting me/us know which group/category each of my accounts fall under is appreciated so I am not just sitting around wondering.
(Edit update: Dave just stated the investigation isn’t over yet: “This investigation is not wrapped up yet, we will continue to discuss as a leadership team and evaluate what needs to change to better protect our users” which means you sent out this update after just the mid-analysis, without making us wait even longer. I’m not sure if this means that we’ll get another update or not toward the completion. There is more information I’d love to hear, but I am glad you didn’t make us wait longer for this information that was currently known and ready.)
I think bypassing cache for checks on user-device relationship is a good move for now considering cache issues have come up twice now, though in different ways. Yes, please do stress test the caching, preferably with a 3rd party contractor before using caching again.
I think the response this time was an improvement and increasingly transparent. Certainly more than most other companies who have leaked my information. A friend of mine recently shared with me this site: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf where there is a list of recent breaches of protected health care information constantly being hacked, stolen or leaked, with tens of thousands of victims constantly happening. It was a little terrifying how often our protected health and other information is constantly being hacked/stolen and we basically never even hear anything about it. I didn’t realize they were happening ALL THE TIME, like 10s of thousands multiple times per week and nobody even mentions it, and we get few to no details at all. I appreciate that this message proactively identified every affected user and let us know and even let those unaffected know. I for sure much prefer being notified than left in the dark (as being left in the dark seems to be standard).