April 3rd, Ali Abdaal's email list got hit.
Scammers found a plugin vulnerability on his site, got into his email platform, and sent 3 fake "crypto airdrop" emails to his entire list before he could stop it.
Then he wrote one of the best crisis emails I've seen.
Here's what he did right:
He moved fast and said so. Clear timeline, specific mechanism. Readers don't fill silence with grace. They make assumptions, and they’re often not kind.
He told them exactly what was exposed. Email address and first name. He didn’t hedge with, "limited information may have been accessed." 🙄
He told them what his team was doing in the aftermath. Revoked APIs, reset passwords, and started working with their ESP.
He told them what to do. Don't click links from his domain. And here's what a real email from him looks like.
The close was human, not legal. No boilerplate legalese. He said he was sorry and didn’t downplay the situation.
“You've been kind enough to let me send emails straight to your inbox, and I don't take that lightly.”
His list almost certainly came out of this more trusting than before, which unfortunately often isn’t the case.
Crisis emails are no exception to good email writing. They need specificity, a real human voice, and often a CTA. All the same pieces, just higher stakes.
Standard crisis emails read as if “Todd the Template” wrote them. This one read like a person talking to one subscriber. That's the whole game.
One thing worth doing before you ever need it: draft a crisis email template now in your voice. During a breach is the worst time to find your voice.
Until next time,
Braden & Jon
MODULR Marketing