Ex-Employer gossiping I “hacked” their platform – what to do?

Been there myself and seen it in other places too.

It can actually be a good filter, prospect-wise: a company that does gossip about/blame an ex-employee for some of their failures is advertising their own lack of agency.

If they were smart, they wouldn't gossip, and not even let the gossip go. That's very bad strategy, both internally and externally.

If they're not, well, I can't tell you what to do.

What happened to me:

1. first I spent several horrible months expecting my whole career to be over;

2. until I realized my ex-employer and its own reputation in the field was totally irrelevant and could not harm much my reputation (or better yet, act as a useful filter);

3. when looking for employment, when relevant, I explicitly mentioned this experience and what came with it, and what I was then looking for in a new company/position/team, so that I was the first to pitch what did happen and how I reacted to it.

It served me well. Those that listened to my story and took the time to understand it turned out to be great teams to work with. Those that dismissed me on the spot, well... I can't say really - but what I heard of afterwise from ex-employees was kind of reminiscent. :)

A similar situation happened to me several years ago. My former employer claimed I was involved in a data breach a year after I quit. The FBI raided my home and questioned me for hours about what I knew. I was not involved and had no knowledge of any incident.

I would strongly urge you to retain counsel with a criminal defense attorney and seek to squash this as soon as possible.

When a company claims that someone, especially a former employee, is involved in criminal activity, they will point guns at you and ask questions later. In the eyes of law enforcement, you are presumed guilty.

Op here, Thanks for all the advice, its honestly be helpfull and eye opening.

To clear up a few things.

- The comments from the ceo were via text and more "I would of called you if i thought you did something" and "ill talk to them but I dont know what more I can do". TBH I was angry and not exactly cordial in my communication.

- From what I understand the "hack" wasn't my credentials but someone logging in near where I live with the CEO's credentials and changing some settings in the admin. This honestly is what scares me the most... everything in the admin is (or at least was while I was there) soft delete only with 5 minute interval database backups. The action has a potential to rune my life but the actual impact is basically a mild annoyance to the company... at this point I get concerned about sabotage.

- In terms of defamation apparently certain individuals though it be funny to take where I live and put it up on one of the system monitoring screens for the whole company to see. Currently I am seeking counsel to both protect my self and see if this action is something that is worth responding to.

Looks like the kind of employer you might not want to use for references anyway, but I'd gather as much evidence of that gossip as possible, talk to a lawyer and have him/her reach the company to cease propagating these gossip, which could as well be considered defamation. If they believe they're been wronged and something wrong actually happened, then they should bring those facts with proofs to back them up.

I have been in the same situation a few times, even at the company I still work at.

The truth is, it's in no one's best interest to drag this out. They'll do an investigation and only if they have solid evidence will anything come of it. In my case, I did nothing wrong and there was no evidence. Someone accused me of something I didn't do or coincidence(s) led to me being investigated (common in the area I work, actually).

Nothing came of it, because nothing happened on my end. However, it was a nerve-racking experience. Especially, because you never know if something is an accident or mistakenly evaluated.

In a case I'll share, we used a ruby on rails scaffold to create a web app. Unfortunately, it had a mailer in there and looked like we could send emails out. It wasn't active and all generic code "hello world", but you can see how people freaked out. Luckily, those investigating dug into the code and evaluated it, realizing nothing was connected.

In any case, if you did nothing, I'd put your odds at 99.9% chance nothing happens. In the 0.1% chance the company does something, they'll have the burden of proof and their customers will find out. Accusations do not prove guilt. The company would likely be more harmfully impacted than you will and you'll be able to provide a defense to the public record.

>I reached out to the CEO and basically the first question whas who was it to leak this and then basicly a statement that the company did not accuse me of anything and there is nothing that can be done about the gossip.

If it was a formal statement then you have nothing to worry about. If the slander is getting to you mentally, you could seek legal counsel but sounds like they can't actually do anything to you

If it was not formal, and there is a chance they can take you to court, then you need to get legal counsel, as you need to prep for defending yourself in court. If, as you say, they should not have anything which points to you being the malicious one here, then the hardest part is going to be the lawyer fees.

Well if they even acknowledge it to you in writing you are in the clear. If they had real "proof" they would not have said this..

You could ask them formally to stop the slander and inform them that you will take legal action if you receive any more word of these rumours..

I don't know if this was your intention, but you posted this under your real name. Under the same account you posted an article that gives away your ex-employer.

If it is intentional, then why not say the company in the post?

One can hardly prevent gossip. You can do everything perfect and still get gossip... I would just move on and do quality work in another company...

Get someone to ask them for a reference for you and see what it says.

See if you can get them to demonstrate their false accusations by getting them to state that to a reference. Without that, you have no material damages to show, with it you have a case. Talk to an attorney. I’d be surprised if they would be so foolish as to try to wreck your future employment prospects over something you didn’t do.

You should ask your friends if there is any hard proof of such a statement, like an email. If so, that could potentially be grounds for a defamation suit.

I never had an old employer accuse me, but I did have a consulting client do almost exactly the same thing. It boiled down to a few people at the company that didn't like that we pointed out a lot of security issues on things which were not our direct work but was theirs. Basically we found a few major holes in a couple of their systems we had to do some integration work with and we documented the holes and gave it to the company as part of our deliverable. Well like after 6 months post our exit they had a breach through one of those systems. One of the PM's and a couple of devs accused my team of the breach because someone had used one of the open doors we identified. Literally they had an open port through the firewall to a database system that was unprotected (no password even) and had client data in it, yea Mongo's stupid default no user/password back then.

Essentially I did the same thing you did, reached out to the CEO, he denied they blamed me or my team and said there was nothing he could do about a few "bad apples" running their mouths. I disagreed and pointed out that what they say in a professional capacity about myself or my team as a result of our time there was something he can and should concern himself with. In the end, I did what everyone here is telling you, get a lawyer. It cost me ~$500 to protect our name and put an end to it, essentially we sent a cease and desist letter and a some wording on potential damages given our work and what was being said. That letter only got one response which was they had addressed the employees and agreed my team had nothing to do with their breach. That was all I wanted, and it is what you should get because if it ever comes up you can show that to whoever asks. Took less than a week to resolve and we did work for that company again like 2 years later, guess who no longer worked there, the "bad apples" were all gone, but most of the rest of the team was still around including the CEO who brought us back. So it didn't cause us any damage long term with anyone other than we probably pissed off a few people that were already running their mouths a bit.

One last point. I have had people bad mouth me for a number of things over my career. Not once did it ever really hurt me professionally, mainly because I had a track record showing none of what they said was true. As a consultant I had lots of people pissed saying we were there to displace them, replace them etc etc (even old developers saying that cause they had ancient skillsets). I had articles in a few papers how we were destroying jobs through automation of services of a long term employer in a small town. None of it hurt us, it hurt our pride/feelings a little cause we knew what they were saying was false, but in the end none of it ever affected us professionally. In some cases it actually helped us get other work partially because people saw we didn't react and get defensive or go off the deep end. I am not advocating you don't defend your professional reputation, but just realize there is a time and place to, and a time and place to just let it drop.

Been there many times and I think, that it's a bit normal when leaving a company/a powerful position within. People blame always the leavers for their own mistakes or being in a crappy company. Then, the biggest challenge is to let go and accept that you cannot do anything. Of course you could 'fight back'. And tbh, I still don't know what's better.

Fighting back is a hassle, proving defamation is hard, getting lawyers is expensive, suing and the following process can take years. And the outcome? From an economic view, it's always a no, also the distraction from stuff that really matters, for what? Fighting is great, some like it a lot, but it costs so much energy. Moving on feels more sane. However, in the long run, there's always a bitter aftertaste, just an odd feeling that you lost a fight. This feeling will stay with yout for quite some time but it is often just in your head. Maybe the thing you are worrying about is not that big and not worth thinking one more sec about. You just don't know.

If there's a fool-proof way to fight + win something significant + in a short time frame, fight. Otherwise, get busy, get on new projects and once you are on a better position/in a new company you forgot them anyway.

So, asking us was a good first step to get a bit busy, get an achievement (getting on the front page) and out of racing thoughts. Now, keep on, write the next Ask HN about some tech, ask 10 peers for a coffee after new years eve, build a gaming pc, do whatever keeps you busy.

Edit: Not sure if you can trust the CEO but from what he wrote he sounds ok/friendly and he doesn't care (which is good, because if one of them would decide to sue you it would be him).

See if you can get your friends to put their statements in an email or text message. After that, consult a lawyer with the evidence and perhaps sue for slander. I wouldn't take this lightly. This could damage your changes of getting a job in the future if a potential employer calls them.

Announcing that they're so incompetent that they failed to revoke a former employee's credentials is pretty dense.

Talking to lawyers is the right thing to do. You don't want this gossip to become a legal issue for you. Collect detailed notes on when and where you turned in hardware, when / what credentials you had revoked, and to whom you delivered these things and informed about them. Just because you didn't perpetrate the hack doesn't mean that someone else wasn't using your hardware for something nefarious. I normally insist that a work laptop be wiped (obviously with all relevant work product handed off first) before i turn it in.

Legal protection is a great start. I would also say that most hiring managers understand that there are crappy companies out there, and that doesn't mean that all employees coming from them are bad news. I'd suggest for future interviews using the company as a reference, being direct that there was a issue with workplace culture and that you are excited about the culture of the prospective company. I would also recommend having some notes written down about the issue in the case that the hiring manager brings it up; if they know about it, they will probably ask, and if not then they probably never will.

Wow. Something similar happened to me a while ago, and I'm surprised and relived by the replies in this thread to find out that I'm not alone. I thought it was just me.

My advice: Ignore it. There's enough churn on both the company and personnel level in the industry that it will all be soon forgotten. Tech is not a close-knit group of people who know other people. It's millions of people joining and leaving companies, and hundreds of thousands of companies Opening and closing each day.

The gossip is just bird poop in the paint can. Eventually after enough stirring it will disappear.

Have your attorney contact them.

The CEO should issue you an apology and they should make an internal announcement explicitly stating that you are not suspected of any wrongdoing, and that it is wrong to accuse you further.

Are you sure you're not just overreacting over what's essentially tongue-in-cheek internal speculation based entirely on coincidence of your departure and the breach?

There's already some good advice in the thread for the OP.

I'll add-on that this should not have been an issue in the first place. The company should be protecting their customers better than this. It is already a failure of the process when employees are _maybe_ revoking their own creds on the way out. Not to mention what other issues actually led to the breach.

I'd also suspect a current employee (I feel sick even typing that out) before one that has moved on months ago.

That sounds horrible. It might be best to talk to a lawyer, just in case.

In my case, a former client accused me of not giving them the source of a product released earlier. The old product was in the git history after a pivot, which I had given instruction on how to get back to a release tag. Luckily I could quote old emails that I sent to them.

In he-said-she-said situations, have a good story. Deflect:

> Ha, yeah, I did no such thing, but they certainly want a scapegoat, don't they? So, when I was there, lemme tell you about their data security practices...

Gain empathy:

> Right, it's understandable that they'd want to blame somebody. And who better than me, walking out the door, going to spend more time with my family?

And minimize:

> But yeah, there's no real meat to their complaint. No attorneys or anything. They're just upset that they got caught shirking their legal responsibilities.

You might be able to hand-pick a reference from your old team, but you're right to not automatically volunteer your old manager's contact information.

I have to be good at telling stories like this. My first employer used legal strongarm tactics to disenfranchise me of thousands of commits of code, and my second employer tried to pin a sexual-harrassment claim on me and then fired me after I asked their head of HR to follow the law. Employers are dicks. Tell a story that lulls them to sleep.

https://www.fastcompany.com/90304317/a-male-ctos-lessons-on-...

"5 things I’ve learned working with a women-dominated engineering team"

Make that six things that you have learned...

You need a lawyer to send a cease and desist letter for defamation.

> was a set of data breaches on the platform and the internal answer was to not announce it and put the blame on me

In Europe this could be a violation of GDPR not to report it. If so, they would hurt themselves more by spreading this.

https://gdpr-info.eu/art-33-gdpr/

So in the US, for software engineering jobs outside of DoD related stuff...I have yet to be asked for references (even then I don't think I was for being hired, just for the clearance, and that was more personal than professional). I would actually view being asked for them as a warning sign, given how useless they are (speaking as a hiring manager).

I wouldn't worry about it from that perspective. If you need to you can point out that the company hasn't spoken to the police even when you reached out to them with concern over it, or retained legal counsel, or etc...but chances are really good it's going to be a non-issue for future employment.

If they do eventually reach out to police, and assert it was you, it will be more interesting. That said, it doesn't sound like the kind of thing where they'd have a particularly compelling case.