This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at https://www.nytimes.com/2020/04/20/technology/zoom-security-dropbox-hackers.html
The article has changed 22 times. There is an RSS feed of changes available.
| Version 13 | Version 14 |
|---|---|
| Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox | Zoom’s Security Woes Were No Secret to Business Partners Like Dropbox |
| (6 days later) | |
| One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. | One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. |
| The hackers soon uncovered a major security vulnerability in Zoom’s software that could have allowed attackers to covertly control certain users’ Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers. | The hackers soon uncovered a major security vulnerability in Zoom’s software that could have allowed attackers to covertly control certain users’ Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers. |
| Now Zoom’s videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home, and reports of its privacy and security troubles have proliferated. | Now Zoom’s videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home, and reports of its privacy and security troubles have proliferated. |
| Zoom’s defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes — like elementary school classes and family celebrations — for which it was never intended. | Zoom’s defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes — like elementary school classes and family celebrations — for which it was never intended. |
| “I don’t think a lot of these things were predictable,” said Alex Stamos, a former chief security officer at Facebook who recently signed on as a security adviser to Zoom. “It’s like everyone decided to drive their cars on water.” | “I don’t think a lot of these things were predictable,” said Alex Stamos, a former chief security officer at Facebook who recently signed on as a security adviser to Zoom. “It’s like everyone decided to drive their cars on water.” |
| The former Dropbox engineers, however, say Zoom’s current woes can be traced back two years or more, and they argue that the company’s failure to overhaul its security practices back then put its business clients at risk. | The former Dropbox engineers, however, say Zoom’s current woes can be traced back two years or more, and they argue that the company’s failure to overhaul its security practices back then put its business clients at risk. |
| Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom’s security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. | Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom’s security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. |
| As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom’s software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom’s code — and troubled by Zoom’s slowness in fixing them. | As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom’s software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom’s code — and troubled by Zoom’s slowness in fixing them. |
| After Dropbox presented the hackers’ findings from the Singapore event to Zoom Video Communications, the California company behind the videoconferencing service, it took more than three months for Zoom to fix the bug, the former engineers said. Zoom patched the vulnerability only after another hacker publicized a different security flaw with the same root cause. | After Dropbox presented the hackers’ findings from the Singapore event to Zoom Video Communications, the California company behind the videoconferencing service, it took more than three months for Zoom to fix the bug, the former engineers said. Zoom patched the vulnerability only after another hacker publicized a different security flaw with the same root cause. |
| Zoom’s sudden popularity — nearly 600,000 people downloaded the app on a single day last month — has opened it to increased scrutiny by researchers and journalists and forced the company to grapple with a rash of security incidents. | Zoom’s sudden popularity — nearly 600,000 people downloaded the app on a single day last month — has opened it to increased scrutiny by researchers and journalists and forced the company to grapple with a rash of security incidents. |
| Three weeks ago, the F.B.I. warned that it had received multiple reports of trolls hijacking public school classes on Zoom to display pornography and make threats — malicious attacks known as “Zoombombing.” | Three weeks ago, the F.B.I. warned that it had received multiple reports of trolls hijacking public school classes on Zoom to display pornography and make threats — malicious attacks known as “Zoombombing.” |
| Last week, Vice’s Motherboard blog reported that security bug brokers were selling access — for $500,000 — to critical Zoom security flaws that could allow remote access into users’ computers. Separately, hackers put up more than half a million Zoom users’ passwords and user names for sale on the so-called dark web. | Last week, Vice’s Motherboard blog reported that security bug brokers were selling access — for $500,000 — to critical Zoom security flaws that could allow remote access into users’ computers. Separately, hackers put up more than half a million Zoom users’ passwords and user names for sale on the so-called dark web. |
| On April 1, Eric S. Yuan, Zoom’s chief executive, said the company would devote all of its engineering resources for the next 90 days to shoring up security and privacy. Last week, the company announced a revamped reward program for hackers who find security flaws in its code. Mr. Stamos said Zoom was also working on design changes to reduce the potential risks of security flaws and abuses like Zoombombing. | On April 1, Eric S. Yuan, Zoom’s chief executive, said the company would devote all of its engineering resources for the next 90 days to shoring up security and privacy. Last week, the company announced a revamped reward program for hackers who find security flaws in its code. Mr. Stamos said Zoom was also working on design changes to reduce the potential risks of security flaws and abuses like Zoombombing. |
| In a statement, Zoom said it appreciated “the researchers and industry partners who have helped — and continue to help — us identify issues as we continuously seek to strengthen our platform.” It added that the company was “proactively working to better identify, address and fix issues.” | In a statement, Zoom said it appreciated “the researchers and industry partners who have helped — and continue to help — us identify issues as we continuously seek to strengthen our platform.” It added that the company was “proactively working to better identify, address and fix issues.” |
| In a statement, Dropbox said it was “grateful to Zoom for being the first to participate” in its vendor bug bounty program. It added that Dropbox itself used the videoconferencing service for internal meetings and that Zoom had become “a critical tool in keeping our teams connected.” | In a statement, Dropbox said it was “grateful to Zoom for being the first to participate” in its vendor bug bounty program. It added that Dropbox itself used the videoconferencing service for internal meetings and that Zoom had become “a critical tool in keeping our teams connected.” |
| Before Zoom’s initial public offering in 2019, Dropbox made a $5 million investment in the company. Separately, Bryan Schreier, a Dropbox director, is a partner at Sequoia Capital, which made a $100 million investment in Zoom before the initial offering. | Before Zoom’s initial public offering in 2019, Dropbox made a $5 million investment in the company. Separately, Bryan Schreier, a Dropbox director, is a partner at Sequoia Capital, which made a $100 million investment in Zoom before the initial offering. |
| Even critics acknowledge that Zoom remains the most user-friendly videoconferencing service on the market and has become a crucial communications tool during the pandemic. Security researchers also praised Zoom for improving its response times — quickly patching recent bugs and removing features that presented privacy risks to consumers. | Even critics acknowledge that Zoom remains the most user-friendly videoconferencing service on the market and has become a crucial communications tool during the pandemic. Security researchers also praised Zoom for improving its response times — quickly patching recent bugs and removing features that presented privacy risks to consumers. |
| Zoom is hardly the first tech company whose sudden surge in popularity exposed its problems. Microsoft, Twitter, Google, Facebook and Uber have all settled federal charges related to consumer security or privacy. | Zoom is hardly the first tech company whose sudden surge in popularity exposed its problems. Microsoft, Twitter, Google, Facebook and Uber have all settled federal charges related to consumer security or privacy. |
| What is different about Zoom is the unusual role that another tech company — Dropbox — played in pushing the videoconferencing service to address its security weaknesses. Details on Dropbox’s role have not been publicly reported before. | What is different about Zoom is the unusual role that another tech company — Dropbox — played in pushing the videoconferencing service to address its security weaknesses. Details on Dropbox’s role have not been publicly reported before. |
| Many companies, including Zoom, have “bug bounty programs” in which they pay hackers to turn over flaws in the company’s own software code. But Dropbox, which has integrated its file-sharing services with Zoom, did something novel. | Many companies, including Zoom, have “bug bounty programs” in which they pay hackers to turn over flaws in the company’s own software code. But Dropbox, which has integrated its file-sharing services with Zoom, did something novel. |
| Starting in 2018, Dropbox privately offered to pay top hackers it regularly worked with to find problems with Zoom’s software. It even had its own security engineers confirm the bugs and look for related problems before passing them on to Zoom, according to the former Dropbox engineers. | Starting in 2018, Dropbox privately offered to pay top hackers it regularly worked with to find problems with Zoom’s software. It even had its own security engineers confirm the bugs and look for related problems before passing them on to Zoom, according to the former Dropbox engineers. |
| Hackers have reported several dozen problems with Zoom to Dropbox, the former employees said. These included moderate problems, like the ability for attackers to take over users’ actions on the Zoom web app, and more serious security flaws like the ability for attackers to run malicious code on computers using Zoom software. Dropbox also put in its own controls to ensure that its integration with Zoom did not present risks to Dropbox users. | Hackers have reported several dozen problems with Zoom to Dropbox, the former employees said. These included moderate problems, like the ability for attackers to take over users’ actions on the Zoom web app, and more serious security flaws like the ability for attackers to run malicious code on computers using Zoom software. Dropbox also put in its own controls to ensure that its integration with Zoom did not present risks to Dropbox users. |
| Zoom’s reputation for security weaknesses began to spread within Dropbox, the former engineers said. | Zoom’s reputation for security weaknesses began to spread within Dropbox, the former engineers said. |
| As part of an annual companywide hacking competition in 2018, Dropbox engineers created a knockoff of Zoom — they called it “Vroom” — and challenged employees to hack it. The Dropbox employees successfully obtained Vroom meeting codes, which would have allowed them to crash hypothetical Vroom meetings. The idea of the exercise, former Dropbox employees said, was to teach Dropbox engineers to avoid making some of the security mistakes that Zoom had made. | As part of an annual companywide hacking competition in 2018, Dropbox engineers created a knockoff of Zoom — they called it “Vroom” — and challenged employees to hack it. The Dropbox employees successfully obtained Vroom meeting codes, which would have allowed them to crash hypothetical Vroom meetings. The idea of the exercise, former Dropbox employees said, was to teach Dropbox engineers to avoid making some of the security mistakes that Zoom had made. |
| Some former employees said Dropbox had also prompted Zoom to introduce additional security measures, including a virtual waiting room feature that now allows meeting organizers to vet participants before letting them into a videoconference. | Some former employees said Dropbox had also prompted Zoom to introduce additional security measures, including a virtual waiting room feature that now allows meeting organizers to vet participants before letting them into a videoconference. |
| “I have no doubt that Zoom was better able to address the current ‘zoombombing’ craze thanks to Dropbox’s early” involvement, Chris Evans, a former head of security at Dropbox, wrote in an email to a reporter. | “I have no doubt that Zoom was better able to address the current ‘zoombombing’ craze thanks to Dropbox’s early” involvement, Chris Evans, a former head of security at Dropbox, wrote in an email to a reporter. |
| Dropbox employees weren’t the only ones finding problems. In late 2018, David Wells, a senior research engineer at Tenable, a security vulnerability assessment company, uncovered a serious flaw in Zoom that would have allowed an attacker to remotely disrupt a meeting — without even being on the call. Among other things, Mr. Wells reported that an attacker could take over a Zoom user’s screen controls, enter keystrokes and covertly install malware on their computer. | Dropbox employees weren’t the only ones finding problems. In late 2018, David Wells, a senior research engineer at Tenable, a security vulnerability assessment company, uncovered a serious flaw in Zoom that would have allowed an attacker to remotely disrupt a meeting — without even being on the call. Among other things, Mr. Wells reported that an attacker could take over a Zoom user’s screen controls, enter keystrokes and covertly install malware on their computer. |
| Updated June 22, 2020 | |
| A commentary published this month on the website of the British Journal of Sports Medicine points out that covering your face during exercise “comes with issues of potential breathing restriction and discomfort” and requires “balancing benefits versus possible adverse events.” Masks do alter exercise, says Cedric X. Bryant, the president and chief science officer of the American Council on Exercise, a nonprofit organization that funds exercise research and certifies fitness professionals. “In my personal experience,” he says, “heart rates are higher at the same relative intensity when you wear a mask.” Some people also could experience lightheadedness during familiar workouts while masked, says Len Kravitz, a professor of exercise science at the University of New Mexico. | |
| The steroid, dexamethasone, is the first treatment shown to reduce mortality in severely ill patients, according to scientists in Britain. The drug appears to reduce inflammation caused by the immune system, protecting the tissues. In the study, dexamethasone reduced deaths of patients on ventilators by one-third, and deaths of patients on oxygen by one-fifth. | The steroid, dexamethasone, is the first treatment shown to reduce mortality in severely ill patients, according to scientists in Britain. The drug appears to reduce inflammation caused by the immune system, protecting the tissues. In the study, dexamethasone reduced deaths of patients on ventilators by one-third, and deaths of patients on oxygen by one-fifth. |
| The coronavirus emergency relief package gives many American workers paid leave if they need to take time off because of the virus. It gives qualified workers two weeks of paid sick leave if they are ill, quarantined or seeking diagnosis or preventive care for coronavirus, or if they are caring for sick family members. It gives 12 weeks of paid leave to people caring for children whose schools are closed or whose child care provider is unavailable because of the coronavirus. It is the first time the United States has had widespread federally mandated paid leave, and includes people who don’t typically get such benefits, like part-time and gig economy workers. But the measure excludes at least half of private-sector workers, including those at the country’s largest employers, and gives small employers significant leeway to deny leave. | The coronavirus emergency relief package gives many American workers paid leave if they need to take time off because of the virus. It gives qualified workers two weeks of paid sick leave if they are ill, quarantined or seeking diagnosis or preventive care for coronavirus, or if they are caring for sick family members. It gives 12 weeks of paid leave to people caring for children whose schools are closed or whose child care provider is unavailable because of the coronavirus. It is the first time the United States has had widespread federally mandated paid leave, and includes people who don’t typically get such benefits, like part-time and gig economy workers. But the measure excludes at least half of private-sector workers, including those at the country’s largest employers, and gives small employers significant leeway to deny leave. |
| So far, the evidence seems to show it does. A widely cited paper published in April suggests that people are most infectious about two days before the onset of coronavirus symptoms and estimated that 44 percent of new infections were a result of transmission from people who were not yet showing symptoms. Recently, a top expert at the World Health Organization stated that transmission of the coronavirus by people who did not have symptoms was “very rare,” but she later walked back that statement. | So far, the evidence seems to show it does. A widely cited paper published in April suggests that people are most infectious about two days before the onset of coronavirus symptoms and estimated that 44 percent of new infections were a result of transmission from people who were not yet showing symptoms. Recently, a top expert at the World Health Organization stated that transmission of the coronavirus by people who did not have symptoms was “very rare,” but she later walked back that statement. |
| Touching contaminated objects and then infecting ourselves with the germs is not typically how the virus spreads. But it can happen. A number of studies of flu, rhinovirus, coronavirus and other microbes have shown that respiratory illnesses, including the new coronavirus, can spread by touching contaminated surfaces, particularly in places like day care centers, offices and hospitals. But a long chain of events has to happen for the disease to spread that way. The best way to protect yourself from coronavirus — whether it’s surface transmission or close human contact — is still social distancing, washing your hands, not touching your face and wearing masks. | Touching contaminated objects and then infecting ourselves with the germs is not typically how the virus spreads. But it can happen. A number of studies of flu, rhinovirus, coronavirus and other microbes have shown that respiratory illnesses, including the new coronavirus, can spread by touching contaminated surfaces, particularly in places like day care centers, offices and hospitals. But a long chain of events has to happen for the disease to spread that way. The best way to protect yourself from coronavirus — whether it’s surface transmission or close human contact — is still social distancing, washing your hands, not touching your face and wearing masks. |
| A study by European scientists is the first to document a strong statistical link between genetic variations and Covid-19, the illness caused by the coronavirus. Having Type A blood was linked to a 50 percent increase in the likelihood that a patient would need to get oxygen or to go on a ventilator, according to the new study. | A study by European scientists is the first to document a strong statistical link between genetic variations and Covid-19, the illness caused by the coronavirus. Having Type A blood was linked to a 50 percent increase in the likelihood that a patient would need to get oxygen or to go on a ventilator, according to the new study. |
| The unemployment rate fell to 13.3 percent in May, the Labor Department said on June 5, an unexpected improvement in the nation’s job market as hiring rebounded faster than economists expected. Economists had forecast the unemployment rate to increase to as much as 20 percent, after it hit 14.7 percent in April, which was the highest since the government began keeping official statistics after World War II. But the unemployment rate dipped instead, with employers adding 2.5 million jobs, after more than 20 million jobs were lost in April. | The unemployment rate fell to 13.3 percent in May, the Labor Department said on June 5, an unexpected improvement in the nation’s job market as hiring rebounded faster than economists expected. Economists had forecast the unemployment rate to increase to as much as 20 percent, after it hit 14.7 percent in April, which was the highest since the government began keeping official statistics after World War II. But the unemployment rate dipped instead, with employers adding 2.5 million jobs, after more than 20 million jobs were lost in April. |
| States are reopening bit by bit. This means that more public spaces are available for use and more and more businesses are being allowed to open again. The federal government is largely leaving the decision up to states, and some state leaders are leaving the decision up to local authorities. Even if you aren’t being told to stay at home, it’s still a good idea to limit trips outside and your interaction with other people. | States are reopening bit by bit. This means that more public spaces are available for use and more and more businesses are being allowed to open again. The federal government is largely leaving the decision up to states, and some state leaders are leaving the decision up to local authorities. Even if you aren’t being told to stay at home, it’s still a good idea to limit trips outside and your interaction with other people. |
| Common symptoms include fever, a dry cough, fatigue and difficulty breathing or shortness of breath. Some of these symptoms overlap with those of the flu, making detection difficult, but runny noses and stuffy sinuses are less common. The C.D.C. has also added chills, muscle pain, sore throat, headache and a new loss of the sense of taste or smell as symptoms to look out for. Most people fall ill five to seven days after exposure, but symptoms may appear in as few as two days or as many as 14 days. | Common symptoms include fever, a dry cough, fatigue and difficulty breathing or shortness of breath. Some of these symptoms overlap with those of the flu, making detection difficult, but runny noses and stuffy sinuses are less common. The C.D.C. has also added chills, muscle pain, sore throat, headache and a new loss of the sense of taste or smell as symptoms to look out for. Most people fall ill five to seven days after exposure, but symptoms may appear in as few as two days or as many as 14 days. |
| If air travel is unavoidable, there are some steps you can take to protect yourself. Most important: Wash your hands often, and stop touching your face. If possible, choose a window seat. A study from Emory University found that during flu season, the safest place to sit on a plane is by a window, as people sitting in window seats had less contact with potentially sick people. Disinfect hard surfaces. When you get to your seat and your hands are clean, use disinfecting wipes to clean the hard surfaces at your seat like the head and arm rest, the seatbelt buckle, the remote, screen, seat back pocket and the tray table. If the seat is hard and nonporous or leather or pleather, you can wipe that down, too. (Using wipes on upholstered seats could lead to a wet seat and spreading of germs rather than killing them.) | If air travel is unavoidable, there are some steps you can take to protect yourself. Most important: Wash your hands often, and stop touching your face. If possible, choose a window seat. A study from Emory University found that during flu season, the safest place to sit on a plane is by a window, as people sitting in window seats had less contact with potentially sick people. Disinfect hard surfaces. When you get to your seat and your hands are clean, use disinfecting wipes to clean the hard surfaces at your seat like the head and arm rest, the seatbelt buckle, the remote, screen, seat back pocket and the tray table. If the seat is hard and nonporous or leather or pleather, you can wipe that down, too. (Using wipes on upholstered seats could lead to a wet seat and spreading of germs rather than killing them.) |
| If you’ve been exposed to the coronavirus or think you have, and have a fever or symptoms like a cough or difficulty breathing, call a doctor. They should give you advice on whether you should be tested, how to get tested, and how to seek medical treatment without potentially infecting or exposing others. | If you’ve been exposed to the coronavirus or think you have, and have a fever or symptoms like a cough or difficulty breathing, call a doctor. They should give you advice on whether you should be tested, how to get tested, and how to seek medical treatment without potentially infecting or exposing others. |
| If you’re sick and you think you’ve been exposed to the new coronavirus, the C.D.C. recommends that you call your healthcare provider and explain your symptoms and fears. They will decide if you need to be tested. Keep in mind that there’s a chance — because of a lack of testing kits or because you’re asymptomatic, for instance — you won’t be able to get tested. | If you’re sick and you think you’ve been exposed to the new coronavirus, the C.D.C. recommends that you call your healthcare provider and explain your symptoms and fears. They will decide if you need to be tested. Keep in mind that there’s a chance — because of a lack of testing kits or because you’re asymptomatic, for instance — you won’t be able to get tested. |
| Mr. Wells also found the vulnerability allowed him to post messages in Zoom chats under other people’s names and kick people off meetings. Mr. Wells, who reported his findings directly to Zoom, said Zoom had quickly patched the flaws. | Mr. Wells also found the vulnerability allowed him to post messages in Zoom chats under other people’s names and kick people off meetings. Mr. Wells, who reported his findings directly to Zoom, said Zoom had quickly patched the flaws. |
| In early 2019, Dropbox sponsored HackerOne Singapore, the live hacking competition. To put pressure on Zoom to take security more seriously, former Dropbox engineers said, Dropbox included the videoconferencing service among companies for which it offered bug bounties at the event. | In early 2019, Dropbox sponsored HackerOne Singapore, the live hacking competition. To put pressure on Zoom to take security more seriously, former Dropbox engineers said, Dropbox included the videoconferencing service among companies for which it offered bug bounties at the event. |
| Even before the event began, one hacker reported a major vulnerability to Dropbox that could have allowed attackers to pose as Zoom over Wi-Fi and secretly observe users’ video calls, the former Dropbox engineers said. | Even before the event began, one hacker reported a major vulnerability to Dropbox that could have allowed attackers to pose as Zoom over Wi-Fi and secretly observe users’ video calls, the former Dropbox engineers said. |
| Soon after, the two Australian hackers, an engineer and an executive at Assetnote, a security company, uncovered the flaw that would have allowed an attacker to covertly take complete control of certain computers running Apple’s macOS, according to a blog post published by the hackers. | Soon after, the two Australian hackers, an engineer and an executive at Assetnote, a security company, uncovered the flaw that would have allowed an attacker to covertly take complete control of certain computers running Apple’s macOS, according to a blog post published by the hackers. |
| The discovery was particularly jarring because attackers could have used the Zoom vulnerability to gain access to the deepest levels of a user’s computer. | The discovery was particularly jarring because attackers could have used the Zoom vulnerability to gain access to the deepest levels of a user’s computer. |
| But Zoom did not quickly address the flaw. Instead, the company waited more than three months until a third researcher independently uncovered and publicized a separate, less serious issue, with the same underlying cause. | But Zoom did not quickly address the flaw. Instead, the company waited more than three months until a third researcher independently uncovered and publicized a separate, less serious issue, with the same underlying cause. |
| Mr. Yuan, Zoom’s chief executive, subsequently wrote a blog post in July apologizing for the delay. | Mr. Yuan, Zoom’s chief executive, subsequently wrote a blog post in July apologizing for the delay. |
| “We misjudged the situation and did not respond quickly enough — and that’s on us,” Mr. Yuan wrote. He added: “We take user security incredibly seriously.” | “We misjudged the situation and did not respond quickly enough — and that’s on us,” Mr. Yuan wrote. He added: “We take user security incredibly seriously.” |