I did cyber incident response full time for a few years and part time for several more, and what I saw this weekend was, for the most part, the kind of action that we always recommend and that never gets taken. For most incidents, the initial response should be some flavor of the following steps:
Understand, as quickly as possible, that you have an incident, and communicate this to internal and external shareholders. Obviously the decision about exactly who are the stakeholders is highly variable, depending on an incredibly long list of considerations -- I wouldn't recommend everyone go public -- in many cases that is exactly what not to do. But if the cat is out of the bag (that is, say, if a half-million of your customers are now advertising diet pills in their social media timelines), this decision may have been made for you.
Understand, as quickly as possible, the initial scope of the incident (much of what you learn and assume in these early hours will be wrong, but you should work hard to get the most complete sense of what is happening and what systems are affected -- you'll be coming back to this step repeatedly).
Once you have a scope, devise a plan to, in this order, stop the bleeding, secure what you have, and re-assess the scope and breadth of the incident.
Develop an understanding of your available resources as mapped to the plan you've just made, determine the Deltas between what you have and what you need. This requires a brutally honest self-assessment, and almost certainly must be something you've considered in advance; you can develop this awareness after the fact, but you're increasing exponentially the cost of the incident response -- put another way, every dollar you spend doing this work in advance is worth $5 when the defecation hits the ventilation.
Work with partners to fill the gaps between what you have and what you need. Rapidly.
Repeat the last four steps until you feel you have positive control.
Continue to communicate what you know, when you know it, to appropriate and approriately growing groups of stakeholders. Don't make promises you can't keep or statements not based on fact, but don't shut up until you have facts if stakeholders are visibly or audibly nervous. "We have had a security incident that we understand has affected ____________, and with our staff and partners we are working quickly to determine the extent of the damage and we will report back regularly with progress," is much better than not saying anything and allowing speculation to fester.
So how did Buffer do against these concepts? Pretty fantastically well. Soon after they knew they were hacked, Buffer management and staff took to Twitter and Facebook announcing the problem. Joel Gascoigne wrote a blog post entitled, "Buffer has been hacked - here is what's going on", in which he said in part,
Sign up for CIO Asia eNewsletters.