PR Tips from Facebook’s Response to its Password Snafu

One tenet of crisis PR is to be as transparent as possible. Another maxim that's applied to PR generally, but also works in crisis situations, is that if you don't tell your story, someone else will be glad to do it for you. You might not like the other person's version of your story, of course.

These PR basics might come to mind while perusing recent headlines. On March 21, Facebook admitted that it experienced a problem with passwords. Through a few miscues it exposed hundreds of millions of users' passwords to about 20,000 Facebook employees—stored, unencrypted, as plain text. This began in 2012. There's no evidence that staffers misused the passwords. Still, "at least 2,000 Facebook employees searched through the files containing passwords, though it’s not clear what for," The Verge reported.

Transparency and Accountability?

Facebook yesterday issued a blog post, Keeping Passwords Secure, explaining the problem. Transparency and accountability, right? Not quite.

In the post, Facebook admits it discovered the password snafu in January during a routine safety check. The problem is fixed, it says. Millions of users will receive notification. The password problem touched “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users,” the post says.

A question: Why did Facebook post the blog yesterday, in late March? It spotted the issue in January. A possible answer: Because it had to. On March 19 an influential site exposed the messy situation.

'We've Fixed the Problem'

Facebook's post, an attempt to tell its story and mollify users, says that since there was no evidence of foul play, users need not change their passwords. Since Facebook was late to tell its story, others are busy doing so for them. A large piece in many of those media stories includes a version of "Facebook users should change their password." 

Given the trouble Facebook experienced during the past few months, you'd think it would want to admit and own its mistakes in a transparent and accountable manner. More confounding still, there was even precedent that Facebook had learned its PR lessons. Back in late September, Facebook acted transparently AND caught a break. It quickly admitted its largest data breach within a few days of discovering it. Great.

Good Luck

Facebook made that announcement September 28. That was the day the nation was glued to confirmation hearings for now-Supreme Court Justice Brett Kavanaugh. The Facebook admission entered the news cycle eventually, but it took several days for the all-Kavanaugh-all-the-time mode to subside. Still, give credit where it's due.

In addition, Facebook was quick to respond recently to the New Zealand shooting, where a live video of the incident ran on its platform briefly. Facebook's blog post of March 20 was a step in the right direction and satisfactorily transparent.

The hope is we see more of this behavior and less of the kind surrounding the password problem.

Seth Arenstein is editor of PR News.  Follow him: @skarenstein