How being hacked impacted our startup’s key metrics

Buffer was hacked on October 26th, resulting in several thousand spam posts appearing on Twitter and Facebook. Here is the impact on our numbers.

Last Saturday I was sitting in my favorite coffee shop doing a few support tickets and writing a blog post when I opened Facebook and saw that the whole of my timeline was full of spam. The next thing I noticed was that all of the spam was “via Buffer”. I scrolled and scrolled and it was endless.

We’ve written a lot about what actually happened and how to get your account running smoothly again. You probably saw news of the security breach if you read any of the tech and startup news sites.

It took a whole week, but it seems we have managed to weather the storm. We’re continuing to ramp up security in all areas of the product and company. When I had a moment to breathe I was keen to assess the impact so I started running some queries. Here is what I found:

Posts sent per hour by Buffer users

posts per hour new

Note: The dip around the 25th was a separate issue (a bug we accidentally introduced) that resulted in delayed posts.

As you can see, normal posting volume dropped significantly in early hours of the 27th, right around the time of the spam attack.

Posts sent per day by Buffer users

buffer posts daily new

This chart shows the real impact more clearly. We saw a big decrease in posts sent with Buffer around the hacking incident.

Interestingly, posting volume has returned almost to normal levels after just a few days.

Weekly downgrades from the paid plan since June

weekly downgrades

The number of downgrades from the $10/mo paid Buffer plan spiked in the week of the hacking incident.

The increase that week is 1.6x the normal number of downgrades we see.

Daily downgrades from the paid plan since October 1st

daily downgrades

This shows useful additional information from the weekly chart above.

Most notably, while there was a real spike in the few days of the spam attack, daily downgrades dropped sharply back to normal levels.

Daily signups since October 1st

daily signups

This signups chart is one of the most interesting. The fascinating thing is that during the few days of our breach, we had almost record numbers of signups. This is perhaps due to our fortunate scenario of receiving positive press around how we handled the breach.

In the week that follows, our signups have dipped quite a lot. My hypothesis for this is that we halted our regular content marketing efforts on the main Buffer blog in order to focus on the investigation of the hacking incident.

Weekly upgrades to the paid plan since June

weekly upgrades

This chart shows that upgrades to our paid plan are almost completely unaffected by the hacking incident. It seems like the breach didn’t cause people to not upgrade to the Awesome Plan. You can see in the chart that we received almost exactly the same number of upgrades in the week of the hacking compared to the week before.

I hope these insights might be interesting. Let me know if there’s anything else you’re curious about and I’ll see if I can dig up the stats!

  • http://www.TishBriseno.com/ Tish Briseno

    I’m on the free plan and I already plan to upgrade to the Awesome plan to continue to support your efforts. I think you can tell a lot about a company by the way they handle bumps in the road. If they work hard to fix it and learn from it- stick with them, they’re going places! And you guys are going places! :)

    • http://joel.is/ Joel Gascoigne

      Wow, that’s really amazing to hear Tish. Thanks so much for your kind words and support :) Let me know if I can ever help with anything!

  • twbrooks

    Hi Joel, I’d be curious to see stats on aggregate click-thru rates. Specifically, did the click through rate of the users impacted drop in the days following the event? Did the user accounts see a negative impact in click-thrus that may denote “lack of trust” in the brands that use buffer?

    Props on handling the event! I’m just curious. :-)

    • http://joel.is/ Joel Gascoigne

      That’s a great question. This one might be a little hard for us to gather. Good thinking though!

  • http://blog.gleep.org/ andrewwatson

    If you’re still outsourcing your database to a third party I’m not using your service. If I had known you were doing that before I’d have never signed up in the first place.

    • http://joel.is/ Joel Gascoigne

      Hey Andrew, totally understand that. We’re definitely thinking a lot about this right now, and I appreciate your concern. If you want to ask anything, just let me know!

  • georgek1029

    Had this not been posted on news.ycombinator.com I might never have heard about Buffer.

  • http://www.lylemckeany.com/ Lyle McKeany

    Hi Joel. I’m curious how the incident affected your users’ accounts (i.e. their follow/unfollow and like/un-like stats from Twitter and Facebook). I’m not sure that type of data is readily available to you, but it would be interesting to see. Also coupled with that, how Facebook treated those users’ posts after the incident occurred. I know I have experienced mixed results with my posts to Facebook when using Buffer, which leads me to believe that they get treated differently than if I just posted directly to Facebook via web or mobile.

  • http://natekettles.com/ Nate Kettles

    Very interesting, I particularly liked your analysis of the metrics. Thanks for sharing this company info for us to learn.

    • http://joel.is/ Joel Gascoigne

      Absolutely Nate, my pleasure. Glad it was interesting to read!

  • rhaphazard

    Glad to hear you guy’s are back on track.
    I rely on your services quite a bit, so happy to see the business overall improving.