• API Security Today
  • Posts
  • How to Say “We’ve Been Hacked” (Without Setting the Building on Fire)

How to Say “We’ve Been Hacked” (Without Setting the Building on Fire)

Learn how to Communicate API Security Incidents Like a Professional

Author

Damilola Akinsola
March 13, 2025

Let’s face it: No one wants to be the bearer of bad news.

But when an API security incident happens, you don’t have the luxury of staying quiet. You’ve got to tell stakeholders—fast. And if you do it wrong, you’ll end up with a room full of panicked execs, angry customers, and a PR nightmare.

So, how do you communicate an API security incident without setting the building on fire? Let’s break it down.

Step 1: Don’t Panic (But Do Move Fast)

First things first: Take a deep breath.

Yes, the sky feels like it’s falling. Yes, your stomach is in knots. But freaking out won’t help. Here’s what will:

  1. Assess the damage.

    • What data was exposed?

    • How many users are affected?

    • Is the breach still happening, or is it contained?

  2. Activate your incident response plan.

    • (You do have one, right? If not, we’ll talk later.)

  3. Gather your facts.

    • Stakeholders don’t want guesses. They want answers.

Step 2: Know Your Audience

Not all stakeholders are created equal. Tailor your message to who you’re talking to:

For Leadership:

  • What they care about: Money, reputation, and liability.

  • What to say:

    • “Here’s what happened, here’s what we’re doing, and here’s how much it’ll cost.”

    • Keep it high-level. They don’t need a crash course in OAuth.

For Customers:

  • What they care about: “Is my data safe?”

  • What to say:

    • “We messed up. Here’s what we’re doing to fix it. Here’s how we’ll protect you moving forward.”

    • Be transparent, but don’t overshare.

For Your Team:

  • What they care about: “What do I need to do right now?”

  • What to say:

    • “Here’s the plan. Here’s your role. Let’s move.”

Step 3: Be Honest (But Not Too Honest)

Here’s the golden rule: Transparency builds trust. Over-sharing breeds chaos.

  • Do:

    • Admit the breach.

    • Explain what’s being done to fix it.

    • Offer a timeline for updates.

  • Don’t:

    • Blame the intern.

    • Say “We don’t know” without following up with “But we’re finding out.”

    • Promise it’ll never happen again. (Because it might.)

Step 4: Have a Post-Incident Game Plan

Once the dust settles, stakeholders will want to know: “How do we make sure this never happens again?”

Here’s your script:

  1. Root cause analysis: “Here’s what went wrong.”

  2. Action plan: “Here’s how we’re fixing it.”

  3. Long-term strategy: “Here’s how we’ll prevent this in the future.”

Pro tip: Use this as an opportunity to push for better API security tools, training, or processes.

Your Action Plan

  1. Prep your incident response plan. (If you don’t have one, let’s fix that ASAP.)

  2. Draft your comms templates now. Don’t wait for a crisis to figure out what to say.

  3. Practice. Run a mock incident with your team. Trust me, it’s worth it.

Need help? Let’s jump on a call and get your incident response game tight:
👉 Book a Free Strategy Session here

Next Up:

“How to Make Your Devs Care About Security (Without Bribing Them with Pizza)”

In our next newsletter, we’ll dive into how to build a security-first culture that your devs actually want to be part of. Trust me, you won’t want to miss this one.

Follow me on LinkedIn for more tips, tricks, and occasional rants about API security.

Talk soon,
Damilola