Comment by cogogo
1 day ago
About 10 years ago I was at a startup that used one of the upstart 401k providers of the time. Logged in one day and could see several of my coworkers’ accounts. Really bad class of bug. Still not clear to me how they could have screwed up account atomicity so poorly but assume it was something to do with how they managed orgs.
I was pretty mad about it but also tried to play ball and not make too much of a fuss because I learned some pretty private things without meaning to and didn’t want to inadvertently make them public. Should have been more vocal.
> didn’t want to inadvertently make them public
Screenshot, redact, mass email everyone. Problem solved. Financial institutions don't deserve any leeway with security issues when it comes to their reputation. Handling your money securely and privately is the totality of their reason for existence.
I tend to err on the side of discretion as well. It's more professional.
Though over the years, I've learned to calibrate that discretion proportional to how much of a good-faith effort the counterparty involved seems to be making. If they clearly don't give a shit that they're incompetent, they can expect my megaphone to blare.