How Not to Deliver Bad News: Dropbox CTO Arash Ferdowsi

By May 13, 2011Case Studies

This week, a Dropbox security vulnerability was discovered that enabled attackers to log into anyone’s account. Every company makes mistakes and customers must be notified. However, the announcement by CTO Arash Ferdowsi has received an especially negative response. This post presents an EffectCheck analysis of Ferdowsi’s statement and the reaction of the audience.

The Statement

Dropbox was slow to respond to claims of a security vulnerability, even when the prominent news site TechCrunch confirmed the report. Arash Ferdowsi finally posted the following on the Dropbox company blog:

Hi Dropboxers,
Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.

We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.

Community Response

The response has overall been very negative. What may be surprising, however, is that almost as much discussion has been focused on the statement’s tone– cold, clinical, and unapologetic– as the security vulnerability itself. For instance, here are some of the things people noted in the HackerNews comments for the post:

I think Dropbox would benefit from bringing in a competent PR person to advise them on making this kind of announcement… — rdl

I don’t understand why Drew doesn’t either make these posts or find a PR person to filter Arash’s comments through. — ctide

…there isn’t much wording around apologies or being sorry about letting that happened. — timothee

And this is coming from a community that is populated with engineers and scientists. Imagine what a more emotionally driven community may have to say in this situation!

Analyzing the Statement

As with our Twitter case study, it’s important to note these kinds of announcements are already going to cause increased anxiety, hostility, and depression. The goal is thus to minimize the damage by carefully crafting the message. Here is the score for Ferdowsi’s statement:

The heightened levels of anxiety, hostility, and depression correspond well to the sentiments of the HackerNews community. This is a great example of a phenomenon referred to as media priming— by evoking negative sentiments in your readers, they in turn will respond with negative-evoking comments. Consider some of the anxiety-evoking phrases used in the post:

A very small number of users (much less than 1 percent)…

As a precaution, we ended all logged in sessions.

This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.

In fairness to the Dropbox CTO, he may not have been in the proper mindset to write a PR-related post in my opinion. After spending lots of time dealing with this bug and then poring over data logs to identify vulnerabilities, his mindset was probably more like that of an engineer than a marketer. Indeed, if we look as his post scored as if it were a HackerNews comment (since HN is predominantly engineers), we see a much different result:

Here, although we have slightly elevated levels of anxiety and hostility, we see compassion is the dominant emotion with the others very near to the typical levels. Surely it would be favorable to lower the negative emotions to lower-than-normal levels, but overall this would be a decent score for such a statement. Unfortunately for Arash, a company statement announcing a security vulnerability and an arbitrary article comment on HackerNews are very different categories.

Conclusion and Lessons Learned

The lexical impact of your word choice when delivering bad news can certainly amplify any negative response from your audience. In Arash Ferdowsi’s case, an overly blunt and matter-of-fact style clearly did not go over well with his audience. The main lesson one can learn here is that word choice is very important, and 10 minutes of editing may save you 10 hours of angry customer emails. If he had used EffectCheck, the response may have been more positive.

David Fogel

Author David Fogel

More posts by David Fogel