I tried bringing attention to this in <a href="https://news.ycombinator.com/item?id=13344039" rel="nofollow">https://news.ycombinator.com/item?id=13344039</a><p>At least two people replied in the vein of "nothing to see here".<p>Now they have finally updated their canary statement (this was back in 16 Feb 2017).<p>They have added the following text:<p>> Q: Why didn't you update your canary on time in the winter of 2016?<p>> A: The canary was so broad that any attempt to issue a new one would be a violation of a gag order related to an investigation into a DDoS extortion ring and ransomware operation[0]. This is not desirable, because if any one of a number of minor things happen, it signals to users that a major thing has happened.<p>So, in my mind here's the lessons:<p>A) ignore missing canary statements at your own peril<p>B) orgs that have sloppy canary releases devalue their canary statements.