Our Company Was Worth $6 Billion. We Shared Passwords Over Slack. | Cerby
Identity Security
Our Company Was Worth $6 Billion. We Shared Passwords Over Slack.
Patrick Chen
Head of Demand Gen & Marketing Ops
6 minute read ·
Apr 23, 2026
Table of Contents
Share
Link copied!
Ready to see what Cerby can do for your disconnected apps?
Book a Meeting
Okay, not the passwords themselves (those were in a Google Sheet, naturally). But we did Slack each other 2FA codes. Which is basically the same thing.
And it wasn't some scrappy five-person operation. This was a company with over $1B in funding, with smart people, real infrastructure, and no shortage of resources. The way we managed access to our brand's social media accounts was: someone had the password, someone had the phone, and everyone else had to ask nicely.
The Login Circus
I was on the marketing team at a well-funded, high-growth startup that had reached a $6 billion valuation. At some point, it became my job to update our social media bios — simple stuff, just keeping the copy fresh across Instagram, TikTok, X, YouTube. At most, an hour’s worth of work, theoretically.
In practice, it meant getting the password from our shared spreadsheet. Then logging in and immediately hitting an MFA wall. Then Slacking our social media guy to get the 2FA code, which had been sent to his phone. Then staying logged in on that exact device, on that exact browser, forever. Because if I ever logged out or tried from a different device, the whole comedy would start again.
This was a $6 billion company. With a small marketing team, sure, but still. The idea that access to our brand's social accounts was being managed through a chain of Slack messages felt insane even at the time. I can only imagine what this looks like at a company with fifty people in marketing, six agencies, contractors in three time zones, and twenty brand accounts across eight platforms.
Why Running Meta Ads Required a Zoom Call and a Driver's License
The social bio thing was annoying. This next one was genuinely alarming.
I needed access to our Meta Business account so I could start running paid ads. Seems simple, right? It wasn't.
Nobody on the current team could grant me access. You need an existing admin to approve it, and it turned out the only person with admin rights was one of our co-founders. Fine. I sent him a request. Except he hadn't logged in to Meta in a long time, so Facebook didn't recognize him and made him verify his identity. Which meant I had to get on a Zoom call with him, walk him through the process, watch him photograph his driver's license, and wait for Facebook to confirm it was really him.
Eventually, it worked. I got my access. I ran my ads.
One week later, that co-founder left the company.
I caught myself thinking: what if I had asked a week later? Would anyone have access to that account? Would the company have been locked out of its own Meta Business Manager and, by extension, its entire paid social operation? Would the answer have been “well, we’ll just have to wait and try to recover the account through Facebook support,” which, if you've ever done that, you know is its own special circle of hell?
The answer, almost certainly, is yes.
And this wasn't a one-off. This is how most social media accounts get managed: one person owns the login, a few others share access out of convenience, and when that person leaves — whether they're an employee, a contractor, or an agency contact — everyone else finds out the hard way. The account doesn't transfer. It just becomes inaccessible. Or worse, it stays accessible to someone who's no longer supposed to have it.
The Website That Went Down
Here's the part I still feel bad about, even though I tried to do everything right.
When I left, I was conscientious about offboarding. I made a list. I made sure other people had access to the accounts I owned: Braze, AppsFlyer, the marketing tools I lived in every day. I sent emails. I documented things. I was, by any reasonable standard, a good leaver.
I forgot about Vercel.
Vercel is the platform that hosted the company's website. My manager had given me admin access at some point, but during my time there, she ended up leaving the company. I became the only admin left on the account.
A few months after I left, I started getting frantic messages. The Vercel contract had lapsed. The renewal notice had gone to the account. Nobody could access the account to pay it. The website went down.
A $6 billion company's production website. Down. Because one ex-employee forgot he was an admin on a platform, and nobody had a system to catch it.
The kicker? Vercel does offer enterprise-grade identity controls, including SAML SSO and SCIM, which together would have meant the account was tied to the company's identity system, and my access would have been removed automatically when I left. But at the time, those features were only available on their enterprise plan, which we...