You might want to obfuscate the last 4 digits of your credit card in that screenshot given how useful it is for hacking other systems.
replies(2):
From the original post:
> Worst still, as I navigated around the site I realized the email link I clicked logged me into “My Account”. This screen had lots of my personal information, home address, email, even my credit card number.
I think it is a joke.
Testimonials are the least of their worries.
I would have assumed that I'd be notified if sensitive information on Homejoy was sold to a third-party or "partner", but I should have probably read their privacy policy more closely when the shutdown notice came out.
[1] https://web.archive.org/web/20151023153644/https://homejoy.c...
www.flymaids.com. 3600 IN CNAME cleanerconnect.herokuapp.com.
cleanerconnect.herokuapp.com. 300 IN CNAME us-east-1-a.route.herokuapp.com.
us-east-1-a.route.herokuapp.com. 60 IN A 23.21.224.165
Either way super weird and creepy.
Not that I approve ripping people off, but hard to sympathize with Handy when Handy treats (treated?) its employees and workers poorly.
As for the whole transferring over of assets without any secure certs, that's pretty shady and/or lazy not doing that.
Cue someone from said company posting, "oh sorry we're not ready for public and that accidentally got sent" without mentioning why they even have the author's data or why the author's credit card data was apparently sold off.
I have zero sympathy for HomeJoy. They failed, which is something I can gave sympathy for. But they sold all their customer's private data without notifying them of this fact, and caused major security concerns in the process!
I'd like to see some kind of stronger YC influence on ethics in the companies they fund. I realize that YC doesn't have any direct control over the companies, but it could be as simple as including good ethics in the traits they look for in startup founders.
A while back I started compiling a list of YC companies that spammed or otherwise behaved badly. It quickly got back-burnered by other projects, but there was AirBnB from W09, InstallMonetizer and SocialCam from W12, Zenefits from W13, Abacus and GetAirHelp from W14, Gradberry and OmniRef from W15 ... while so far it looks like the majority of YC startups are well-behaved, the trend was looking like there's a few in every batch that are willing to do shady things to meet their growth metrics.
Or, in Homejoy's case, maybe make a little more money while winding down.
Updated Date: 27-oct-2015
Creation Date: 08-oct-2015
It's also possible one of the founders just spun up the new service themselves and copied over all of the customer records. If so, they may want to prepare to be sued by their previous investors.
It's one thing to fail after giving it the good ol' college try, but it's another entirely to strip the copper out of the walls on your way out.
Speculation aside, they should put out a statement to clarify the relationship between the companies and what's going on with their customers' data.
Like don't reveal unnecessary information if you don't have to. It's low effort, high risk.
This is a really scummy move, and the person behind it should be publicly humiliated so that they understand the error of their ways.
Whoever it was, they clearly capitalized on the market opening left in Homejoy's wake. A quick
whois flymaids.com
Domain Name: flymaids.com
Registry Domain ID: 1966895891_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2015-10-08T04:34:58Z
Creation Date: 2015-10-08T04:34:58Z
Registrar Registration Expiration Date: 2016-10-08T04:34:58Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
...
Registrant Organization: Domains By Proxy, LLC
...
It would be an interesting offering even if there isn't any weight behind it. Sometimes I think the message, "Hey, maybe we should all think about what we are doing and whether or not it is in the best interest of something besides our bottom line" isn't something that is brought up/told to a lot of founders. However, whether or not they listen is totally up to them and I am fine with that.
The difference with these local cleaning businesses is that they are developed and ran by amateurs, who often times copy each other (or the successful giants) down to the wording on the websites, with minor branding changes. They tend to be super low-budget, so Fly Maids probably paid some "web developer" $500 to develop their website and paid zero attention to security, PCI compliance, and so on. They then purchased a bunch of LA-based user accounts from the now-defunct Homejoy, who of course did not perform any due diligence.
Shitty situation to be sure. I definitely lost respect for the Homejoy founders, and will probably stay away from their next venture.
If someone just copied the db and then sold or gave it on the sly, investors of former unaware, then, yes, problematic. But if it was a transaction approved by the principals of the former, unfortunately, there aren't stipulations about commutability of customer data, are there?
It could be a phishing scheme that attacked your saved login information then placed that on a dummy site in hopes that you may provide even more data.
EDIT: They could have sold / transferred user data... but I don't know how they would automatically authenticate you without using some previously stored data that you, maybe unknowingly, gave them access to.
> You may contact us as follows: support@flymaids.com.com
Oh wait....
[Bonus points for saying they are incorporated in Delaware who has no record of a business by that name.]
*Edit- See below, I searched the company name on the Delaware website two different ways and they certainly do not have an active registration or even a name reservation.
Googling "Fly Maids, Inc" shows their terms and privacy pages w/last modified dates of 2013 and 2014 respectively.
@johnsalzarulo out of curiosity, try if your login works on homeaglow.com
f.e.: both logos are served from the same S3 bucket: https://s3q1w2e3.s3.amazonaws.com/brands/logos/fly_maids.png https://s3q1w2e3.s3.amazonaws.com/brands/logos/homeaglow.png
If you're used to thinking about this from our side of things, sure. For Random Person, they might think, "gee, this is neat! And they've already got my card number and everything!"
"In the USA/rest of the world (excluding the European Union), we are Fly Maids, Inc. (doing business as Fly Maids), a Delaware corporation with our head office at 2711 Centerville Road, Suite 400, Wilmington, New Castle County, Delaware 19808."
Trust me, it isn't there. I tried both the regular lookup and just a simple name reservation in case the paperwork hadn't gone through yet. No results for either.
The logo image was broken and I noticed an interesting path when viewing it's `src` attribute:
https://s3q1w2e3.s3.amazonaws.com/brands/logos/
Let's not break out the pitchforks until we know who to point them at.
"a company incorporated in England and Wales (registration number 8883585) with its registered office address at 14 Whittonditch Road, Ramsbury, Marlborough, Wiltshire, United Kingdom, SN8 2PY."
https://s3q1w2e3.s3.amazonaws.com/brands/homeaglow/img/favic...
The logo itself is ripped I think, or from stock, there's reverse matches for it from 2014.
http://bebeportraits.com.au/wp-content/uploads/2014/04/logo....
https://lh3.googleusercontent.com/-8QSBC-8UyqA/AAAAAAAAAAI/A...
http://houseofsakeenah.com.my/wp-content/uploads/2014/12/pay...
https://1.gravatar.com/avatar/43a24e847abce572f34bf5e1af5228...
That said, my initial findings are that Flymaids is directly related to Homejoy. Under Privacy link of Flymaids it states "In the European Union, we are Fly Maids Europe Limited, a company incorporated in England and Wales (registration number 8883585) with its registered office address at 14 Whittonditch Road, Ramsbury, Marlborough, Wiltshire, United Kingdom, SN8 2PY."
If you lookup the registration number at Wales Companies House, it shows owner as "HOMEJOY EUROPE LIMITED"
https://beta.companieshouse.gov.uk/company/08883585
FWIW, they changed their registered address on 8/7/15, ten days short of their announcing to cease operations: http://bit.ly/1kbHtyJ
That said, I looked on the Fly Maids webpage and they don't give the name of their corporation at all, they just show "© 2015 Fly Maids. All rights reserved." That means that "Fly Maids" could be a trademark, a fictitious name, owned by a corporation with a different name, or just owned by any random individual who hasn't registered his/her business. Another possibility is that Fly Maids is in fact registered as a corporation or LLC, but in a state other than Delaware. Yet another possibility is that "Fly Maids" is a fictitious name, and those are generally registered at the county in which they operate, and searching through each county's database would be an enormous task.
My point is: in any of the above cases it could be nearly impossible to figure out who is actually running this website. And failing to find a result in the Delaware Division of Corporations website really doesn't tell you much of anything.
And, as a relevant tangent: If you are really interested in finding out who owns/runs that website you could always sue Fly Maids. GoDaddy explicitly states in their Ts and Cs that they will give up owner information if there is a lawsuit brought against the owner...
----- Delaware Division of Corporations Entity Search link... https://icis.corp.delaware.gov/Ecorp/EntitySearch/NameSearch...
Also, nice to meet someone else obsessed with investigating incorporation documents. :)
http://www.flymaids.com/ http://cleanr.ca/ http://www.homeaglow.com/
My hunch is that there is more. They all seem to share a lot in common.
Credit for digging these up: https://medium.com/@bradbatt/their-css-references-brands-hom... https://news.ycombinator.com/threads?id=phonon
Don't blame YC just yet. We don't know what happened here. Maybe Homejoy went into debt, had their assets seized, and lost control (like with GigaOM). Maybe the investors approved or forced a reincorporation under another name. Maybe Handy bought the assets and is quickly trying to stem off churn. Or, yeah, maybe something unethical happened. Until we know what happened, though, it's all speculation.
>> It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud. <<
[Apple may have changed their policy meanwhile, but likely others did not]
Or, might be that our definitions of unethical don't match up 100%. I consider spam to be unethical, maybe you just mean more serious offenses.
The domain's WHOIS info lists:
Creation Date: 2015-10-08T04:34:58Z
----
As mentioned in Flymaids privacy policy, their "head office" in Delaware is actually offices to incorporate.com; a registered agent for out of state companies.
Also, a DBA search in Delaware returns nothing: http://www.courts.delaware.gov/tradenames/JICKioskSearch.asp...
One of the first employees of Homejoy was Daniel Hung https://twitter.com/danhung
Anyone want to tweet him and ask? :-)
> In the USA/rest of the world (excluding the European Union), we are Fly Maids, Inc. (doing business as Fly Maids), a Delaware corporation with our head office at 2711 Centerville Road, Suite 400, Wilmington, New Castle County, Delaware 19808.
Homeaglow copied and rebranded their own tech as Fly Maids to service this user list.
https://blog.ycombinator.com/founder-ethics
https://www.ycombinator.com/ethics/
"To maintain our community, if a founder behaves
unethically during or after YC, we will revoke their YC
founder status. This includes access to all Y Combinator
spaces, software, lists and events."
"We will stand behind you no matter how much your company
struggles, as long as you behave ethically."I find it hard to believe this information was sold and if it was, were they storing credit card info in plain string format. Wouldn't each of those businesses need an encryption key to decrypt secure card numbers. Wonder if they sold that too. Either way props to John for posting this on Medium and of course Aloke on HN.
> I wanted to reach out personally [...]
So personally is going the way of literally, which literally does or does not mean literally [1].
I'm actually more concerned about the actual spam in my real world mailbox that USPS dumps 3 times a week, no opt-out button there.
But since you brought it up, cold outreach for B2B is not considered spam, as long as they comply with the following: https://www.leadfuze.com/cold-email-outreach-isnt-spam-heres...
Not everything legal is ethical, but in this case it seems more annoying than unethical. I hate cold outreach emails and my company doesn't send them, but concluding that YC doesn't care about being ethical because the former president of YC tweets about a company that sends cold outreach emails seems like a stretch.
>"These Terms of Service and any separate agreements whereby we provide you Services shall be governed by and construed in accordance with the laws of 112 Bagot St Toronto Guelph Canada m3k1v6." //
That's a pretty specific set of laws!! But it's not then the website of a UK company. FWIW in Europe legislation requires a business to have the business name and address for service on the website.
They also use a @gmail.com email address, which is low trust indicator for a business IMO.
It might be of note that Cleanr haven't updated their Facebook page, https://www.facebook.com/HomeCleanr/, since April 2015.
I beat this drum occasionally because I don't want to have to pit my meager resources against the resources of someone like YCombinator who are willing to provide funding (and introductions to enormous amounts of even more funding) to companies that are OK with spamming.
And I'm not including B2B cold emails as "spam", even if they're written as a template, so long as there's an actual human behind them and they aren't being sent out en masse (for example, Locbox: https://news.ycombinator.com/item?id=4672162).
(As my final word on it however, Zenefits specifically was not sending "cold outreach emails", it was bona-fide spam. But, they're far from alone in this anyway, which was my main point.)
The point is we just don't know at this point and perhaps we should refrain from doxxing the innocent until proven guilty.
> You're underestimating how far people are willing to go to appear legit. Showing logos of companies who aren't your clients -- or of publications that never mentioned you -- is common. They know most people won't check to verify.
...Along those lines: has anybody considered the possibility that the whole thing is an elaborate phishing site?
Here's an avenue for investigation which seems to be unexplored here: has Flymaids hired any maids, or contracted with them, or however that works?
We recently acquired the customer and service provider data from Homejoy.
We're a small team that has been focused on moving quickly while bootstraping. We tried to quickly test different approaches, but we realize now that we did so in an unclear manner. We recognize the need to use the data we acquired responsibily. As a result, we're taking the site down, and we're going to do a better job with our testing moving forward.
> In the USA/rest of the world (excluding the European Union), we are Fly Maids, Inc. (doing business as Fly Maids), a Delaware corporation with our head office at 2711 Centerville Road, Suite 400, Wilmington, New Castle County, Delaware 19808. In the European Union, we are Fly Maids Europe Limited, a company incorporated in England and Wales (registration number 8883585) with its registered office address at 14 Whittonditch Road, Ramsbury, Marlborough, Wiltshire, United Kingdom, SN8 2PY. We will refer to these companies together as "Fly Maids", "we", "us" and/or "our".
(http://www.flymaids.com/privacy)
> In the USA/rest of the world (excluding the European Union), we are Homeaglow, Inc. (doing business as Homeaglow), a Delaware corporation with our head office at 2711 Centerville Road, Suite 400, Wilmington, New Castle County, Delaware 19808. In the European Union, we are Homeaglow Europe Limited, a company incorporated in England and Wales (registration number 8883585) with its registered office address at 14 Whittonditch Road, Ramsbury, Marlborough, Wiltshire, United Kingdom, SN8 2PY. We will refer to these companies together as "Homeaglow", "we", "us" and/or "our".
Looking at the error on the heroku page directly, and comparing everything from the license info, help console, website copy, it seems that they are all the same company, operating under different brandings.
The privacy agreements are what really get me though. Looks like they are identical, except the brand names:
http://www.homeaglow.com/privacy
http://www.flymaids.com/privacy
And if you go to http://cleanerconnect.herokuapp.com and inspect the broken icon, you get "https://s3q1w2e3.s3.amazonaws.com/brands/logos/". Looking at the two sites' logos gets you the same URL, with an actual filename:
https://s3q1w2e3.s3.amazonaws.com/brands/logos/fly_maids.png
https://s3q1w2e3.s3.amazonaws.com/brands/logos/homeaglow.png
And the two domains/common backend makes sense, if it is really just a CNAME you could detect what URL the user hits and plug in a few variables. The different IP addresses on the A record are what confuse me, but I don't know much about DNS configuration.
But yes, it seems that flymaids and homeaglow are the same company. And I don't think it's a stretch that homejoy was among those as well.
Interestingly it has been legal in one case.
http://money.cnn.com/2015/05/19/news/companies/radioshack-cu...
Now, I'm not a native english speaker, so I can't say if aarontcheung is misusing the term or not. Is this change happening to the english culture as a whole? Or am I reading way too many silicon valley articles?
* completely ripping off competitor business websites
* throwing PCI compliance and SSL encryption out the window
* generally treating our VC money purchased customers from our old firm like commodity dirt.
This one is gonna be a winner for sure.
You made a mistake, you know you made a mistake. Admit it, apologize, and move on. Your excuses or context probably aren't going to help your cause.
Are they all incorporated as the same entity, or are they all separate?
Are different founders of Homejoy working on different angles?
3.1 Keep cardholder data storage to a minimum by implementing data retention
and disposal policies, procedures and processes that include at least the
following for all cardholder data (CHD) storage:
Limiting data storage amount and retention time to that which is required
for legal, regulatory, and/or business requirements
Specific retention requirements for cardholder data
Processes for secure deletion of data when no longer needed
A quarterly process for identifying and securely deleting stored cardholder
data that exceeds defined retention.
You might be trying to reboot your business, but your Comms didn't say that you were dealing with the same company owners. You also appear to have ripped off a competitors website.
You don't sound very trustworthy or reliable. If you can't keep to at least the PCI-DSS standards, what makes you think anyone can trust you moving forward?
Sometimes moving quickly isn't the best although most people say launch fast. Being that homejoy didn't do well,why didn't you take time to research well what you want to do next instead of copying a competitors site word for word?
Also, in the email to the person who wrote the article, you referred to flymaids as a "partner". Why not just come out and say it is your company?
Instead I genuinely hope that YC will force companies taking the 7% into a no selling on data policy; I'm not saying that is easy to write but I am saying this situation without response smears YC, something I'm sure could be avoided in future.
How does this violate PCI-DSS? The data itself is likely stored somewhere secure (who knows) – what's being displayed in the web app is the last four digits of the card and expiration date, this isn't where it's stored.
There is obviously a question of what the retention should be, but it's definitely the case that payment information can be transferred between companies.
The whole situation exudes a lack of trust, but it's not clear to me that PCI compliance is a problem here.
That being said, I spent 5 minutes researching Aaron Cheung and I was astonished by what I found. He has a Twitter account, but has posted exactly 0 times [1]. He has an HN account, but has posted exactly 0 times [2], and only commented twice (including today). He graduated from MIT in 2009 and this has seemingly been the only real job he's had for the past 5 years [3].
I think, from this perspective, I understand why Aaron is doing what he's doing. It doesn't make it right, not even close, but this person has lived and breathed the home cleaning space for his entire professional career. He may not have the slightest idea what else he could possibly do instead.
[1]: https://twitter.com/aarontcheung
[2]: https://news.ycombinator.com/submitted?id=aarontcheung
[3]: https://www.linkedin.com/in/aarontcheung
The requirement is that card data is securely removed when it is no longer required. They are no longer billing customers at HomeJoy as the business has been wound up, so the credit card data should have been deleted.
Also: no customer has given them any right to have their credit card billed to an entirely new entity. Credit card information should not be transferred due to sale of customer data to an entirely separate legal business entity because no contract of sale has been established between the customer and that new entity.
The snippet you pasted says also:
... regulatory, and/or business requirements
A business that is going out of business may treat this data as a business asset and may need to retain it for a certain period even when they are inactive.
Most terms of service do allow for transfer of account information to third parties, and have contingencies for what happens to the data if the company goes under, and as far as I'm aware, selling that customer data is an option unless they've explicitly said they won't.
As long as the credit card data is transferred in a PCI compliant way, it's legal.
You're absolutely right that it would be a serious violation if they were to charge someone without their knowledge, it doesn't look like that's happened yet.
It's also quite possible the underlying business entity is still Homejoy with a name change. ZenPayroll* didn't have to get people's permission to charge them when they changed their name to Gusto, but it obviously helps to communicate that change very clearly!
I am pretty sure we generally agree, though, it's very clear that there are dozens of egregiously bad things being done by Aaron and his team that can only hurt them and their desired future customers.
*I said Zenefits :( :(
That might be a good choice for a large company, as they already have lawyers on staff, can afford to pay for a lawsuit, and have enough money to advertise away the reputational stain.
I'm not sure it's a good idea for a startup, though. Unless you are well funded, just dealing with a lawsuit could be fatal given the reputational cost, the legal bills, and the amount of founder time that will get soaked up. Personally, I'd try to be human and humane about it.
Now... how secure this transfer of tokens was, no idea. So there could be a DB dump somewhere with a token to my credit card, and anyone can use it to start charging from it. I'll keep an eye on my bills.
The medium article only shows info you can get from a Stripe card_id request. Not using https on that page is troublesome, but I don't think there's any evidence to suggest FlyMaids (or even HomeJoy) ever had access to actual CC information.
It seems more likely that this depends on Homejoy's ToS/Privacy Policy. (Although it's certainly possible the transfer was done in a way that violates Stripe's policies, I'm just not familiar with those)
Edit: It might even be the same business entity with different d.b.a names. Good discussion here: https://news.ycombinator.com/item?id=10468161
Why not get out now, lay low for a bit, take a job, learn another industry, and then save up to try again another day?
"Processes for secure deletion of data when no longer needed"
Those dot points aren't using a disjunction, they must ALL be followed. The standard is very, very clear on that point: once you don't need the data, you securely delete it.
That makes sense, incidentally. If you no longer have the data anywhere, then nobody can get to it even if they compromise your systems and gain access to your credit card lists.
If your company winds down and you no longer bill your customers, you are absolutely required by PCI-DSS (and good security practice!) to delete that data.
As for HomeJoy being the same legal entity, that's not the way that the email sent from HomeJoy reads. It says that Fly Maids is their partner, not the same organisation.
That HomeJoy hasn't done this says to me they are cavalier with their customers data at best. I would not trust them with my credit card details, nor would I be happy letting them into my home.
When you say you're passionate about a "space" though, I think you reveal that all you're really saying is you think you can make a lot of money in that "space". Which isn't passion at all. Well, maybe passionate about making money. Which is more like at best ambition or at worst greed, not actually passion.
There's endless ways we could speculate about why he's doing what he's doing, but is being six years out of school one of them?
He spent "his entire professional career" (5 years!!!) in home cleaning. And before that it looks like he spent four years at MIT majoring in chemical engineering.
I hope someone at Stripe responds because this is a personal data issue.
It's bonkers to display it over an insecure connection, but I don't think that it's disallowed.
Rather than me point out exactly why what you just said was completely wrong, I suggest you download it from here:
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1....
At the very least, read requirement 4. The simple fact is that they were allowing customers to enter their credit card details and submit that data over HTTP.
Spam is illegal, so that's one good sign it might be unethical. About 90% of email is spam [1]; the reason you aren't spending all day "deleting with the click of a button" is that a lot of smart people and a lot of computing power are devoted to keeping most of that spam out of your inbox.
You should be thankful for the people who get offended about this stuff, because its only their reactions and their hard work that have kept email a usable medium.
[1] https://www.m3aawg.org/sites/default/files/document/M3AAWG_2...
Processes for secure deletion of data when no longer needed
Is "needed" defined anywhere?
As far as I can tell this requires companies to create a plan – that plan could be very different between companies.
I highly doubt Homejoy/Fly Maids is maintaining the data themselves, it's probably stored in Stripe, so unless they are actually storing credit card data in a non PCI compliant way, they are probably fine, right?
Let me restate what I think you're saying though: When they shut down Homejoy, they should have immediately deleted all the data they had stored in Stripe (or what ever payment system they use)?
"That HomeJoy hasn't done this says to me they are cavalier with their customers data at best. I would not trust them with my credit card details, nor would I be happy letting them into my home."
Totally agree, maybe let's leave it at that :)
Speechless!
I highly doubt Homejoy/Fly Maids is maintaining the data themselves, it's probably stored in Stripe, so unless they are actually storing credit card data in a non PCI compliant way, they are probably fine, right?
No, Stripe would then be violating PCI-DSS themselves.
Stripe has API calls to get the last four digits and expiration date.
Also, it's not clear that the /payments page isn't secure, the screenshot is of the Profile page.
*edit: see my reply to your other comment, didn't realize you were OP, so I will now assume you did check the payment form for security and it was not there, which is definitely even more shocking.
Bad press sucks and can be hard, it'll pass though - good to be cautious with this kind of thing in the future (which you probably will be).
I was a Homejoy customer too and don't think this is that big a deal all things considered.
You can ignore my comment about the /payments page, I'll assume you checked that, so yeah, that's insane if you can update payment information on an insecure page.
I bought a small business from a brokerage site.
He transferred the Stripe account to me no problem. It was as simple as me making a Stripe user account and then him adding me to the account he used for the business and then me removing him.
The entire process took minutes. It took about 3 weeks for PayPal.
http://thebillfold.com/2014/10/my-day-interviewing-for-the-s...
Stripe is very unlikely to transfer credit card data to an entirely different organisation. They also require evidence of PCI compliance before they will do business with you.
As for knowing when your business is being dissolved: I have to refer you to their terms of service, found at https://stripe.com/us/terms
You agree to give us at least 30 days prior notification of your intent to change your current product or services types, your trade name, or the manner or types of payments you accept. You agree to provide us with prompt notification if you are the subject of any voluntary or involuntary bankruptcy or insolvency petition or proceeding. You also agree to promptly notify us of any adverse change in your financial condition, any planned or anticipated liquidation or substantial change in the basic nature of your business, any transfer or sale of 25% or more of your total assets or any change in the control or ownership of you or your parent entity. You will also notify us of any judgment, writ or warrant of attachment or execution, or levy against 25% or more of your total assets not later than 3 days after you obtain knowledge of it.
You are guessing, however, that they are using Stripe or another credit card provider to store that data. But given Stripe need to handle charge backs and other things, I can't see them not knowing about HomeJoy, given how public the windup was.
It is a big deal. He copied a competitors site word for word. He has 3 other cleaning companies and it appears people who signed up with homejoy have their info. moved to these companies. Customers need to know when their data is going to be used and they have to give consent. Perhaps this fresh article will show the severity of the matter- http://www.businessinsider.com/aaron-cheung-brings-homejoy-c...
https://support.stripe.com/questions/do-i-need-to-be-pci-com...
Their privacy policy appears to be copy-pasted as well:
> we are Maidayy LLC (doing business as Maidayy), a Wisconsin company with our head office at ADDRESS, CITY, STATE USA
edit: just noticed this heading near the bottom:
"Access to Information; Contacting Homejoy:"
On such terms "Passionate about" statements are almost universally crap.
There is nothing wrong with just working for the money, all this instistence people must be "passonate" about their work smells an awful lot like cultish propaganda. It not enough to do your job and get paid, you must LOVE your job!
Unfortunately it sounds like the worst case for them is that enough people report them to their payment provider and they get fined. Clearly what they face there is probably not worse than the huge violation of trust their former customers will feel.
By the way thanks for digging into this so much. The Stripe TOS are darn clear here.
Great idea, maybe you should take that up with Paul "Morally, [the founders we want to fund] care about getting the big questions right, but not about observing proprieties. That's why I'd use the word naughty rather than evil." Graham.
http://www.businessinsider.in/Dilbert-creator-Scott-Adams-il...
Info here - http://www.consumer.ftc.gov/articles/0262-stopping-unsolicit...
Kind of like a store selling its shelves as it goes out of business. May as well get money for anything that's not nailed down.
There's a multitude of good reasons why this poster didn't want to use his real name. In all honestly, if I was hiring, or deciding to do business with an individual, if they used their real name, and had a plethora of comments on Twitter; I don't think I would hire, nor trust that individual with information.
(To the HN community. Does HN offer a way to delete comments? I just assumed they did? Maybe they don't? I do know I can delete briefly after I make a comment, but that privilege dies pretty quick. Why?)
> Cleaner Connect is not an employer, but simply connects independent service professionals with customers
Your Homejoy co-founder stated lawsuits over worker misclassification were the "deciding factor" in the decision to wind Homejoy down[1]. Assuming cleanerconnect.com is indeed part of your new venture, the above suggests your "testing" involves the same flawed contracting strategy that contributed to Homejoy's demise.
2. Your email to former Homejoy customers encourages them to use a "partner" service. You fail, however, to disclose that you are actually a principal of the "partner" business. Additionally, your comment suggests that FlyMaids is not actually a partner of a company that is supposedly winding down but rather is the acquirer of certain Homejoy assets.
3. As far as I can tell, neither FlyMaids or Homeaglow were ever featured by Oprah, The New York Times, etc., yet this claim is/was being made on their sites.
4. There are multiple sites (http://www.dazzlingcleaning.com, http://www.homeaglow.com/ and http://www.flymaids.com/) that appear to be connected to your new venture. Each of their terms of service refers to Delaware corporations that don't seem to exist.
Humble advice: you might want to rethink your passion for the home service space. And make sure you have a good attorney on retainer.
[1] http://recode.net/2015/07/17/cleaning-services-startup-homej...
If they were using Stripe or similar, then they don't have access to your credit cards. Only the last four digits and expiration.
Not everyone that's a founder has to be in front of people (literally or virtually).
It looks to me as though Homejoy & Fly Maids have done a terrible job of communicating this, but it seems legitimate to me. When companies get acquired, customers have always come along for the ride. In fact, that's often the main thing that companies get acquired for. Facebook could've built a Whatsapp clone, but the billions of dollars of value was the user base. In this case, it's a bit less usual since just the customer data has been acquired.
Just seems so contrived and fake to me :-\
No sale here.
I did a paper on (sort of) this in law school. My focus was on civil law systems and I'm not claiming I'm the world's foremost expert on this topic.
With that out of the way, it's not that easy. When a company goes bankrupt, it doesn't have a say on what happens to its assets. Furthermore, a liquidator doesn't have to honor commitments made by the company. (this is also why 'software escrow' in the cheap form that is implemented so often is, imo, legally on shaky ground - this was the actual topic of my paper).
So what are the options? One is to put the 'ownership' of customer data (what that means exactly is a whole discussion in itself) into a separate company. But that company can't be owned by the 'real' company, it's tricky in many way. And costly. And makes things (very) difficult, operationally. And it takes away the ownership of a critical asset, making it near impossible to get investment (because who will invest in a company that doesn't 'own' its customer data?) Etc. I don't think anyone follows through on their claims of being 'careful with customer data' to this extent, but then again, of course I don't know the operations of every company in the world.
Basically, once you are in a database of a company, and if that database is worth anything, you are up shit creek when that company goes bust - good intentions and promises do not matter one bit. A new guy comes in who doesn't care about his 'reputation' in the field the company was in, who has a legal duty to get the highest price for any assets, and who is not bound by anything the company did or said. It doesn't take a law degree to figure out how that works out for the 'privacy' of the (former) users/customers.
That's all you really need to know about FlyMaids and Homejoy. If I ran a startup into the ground I would never ever betray my customers by selling their data!
It's not clear to me that the same intuition applies if the Alltel equivalent is shutting down because it was mismanaged, and the Verizon equivalent was created by one of the mismanagers and has no other assets, but it's hard for me to imagine there's a meaningful legal distinction.
When you run a business into the ground, some decisions about what you sell get taken over by courts, at the direction of your creditors.
When you trust your data with a company, you're not just trusting its ethics, you're trusting its long term viability too.
At the time, I remember being incredibly disappointed to see him hide behind the EULA and "This one seems a matter of opinion." That's why it came to mind immediately and I was curious if YC ever took a more respectable position in the interim.
This is true, but a lot of this "story" still seems strange, especially in light of the fact that all of the sites that appear to be associated with Cheung's new venture have been taken offline.
There are a number of well-funded players in this space, some of which might have an interest in acquiring Homejoy's data. How did the twenty-something co-founder of the failed business come to acquire the data? Did outside investors provide funding for the new venture and its acquisition of the data? Were any of those investors also investors in Homejoy? Why weren't former Homejoy customers simply informed that another company had acquired their information in an honest, transparent fashion (the way most companies handle transactions of this nature)?
It's worth pointing out that the email Cheung sent to former Homejoy customers about FlyMaids stated that FlyMaids "work[s] with Homejoy's best cleaners."
If that is true, it would appear this new venture is essentially just Homejoy reincarnated, begging questions about Homejoy's liabilities. Assuming the lawsuits against Homejoy haven't settled, I'd imagine the attorneys behind those lawsuits might have an interest in what's going on.
Such as 'Add your specific cleaning instructions and pay securely online by debit or credit card. No cash, no fuss.'
Which prompted https://mopp.com this time, but also willowmaids and urbahome. This is getting beyond ridiculous haha.
I'm starting to wonder if this isn't just the lorum ipsum of cleaning websites.
Thank you. I asked the same question below and got some downvotes for it. Falsifying things like that is a big sham. I see on homeaglow, the company claims more features on Rachels (whatever that is).
Perhaps a lame attempt to corner the market? Not sure how well that would work out with the exact same content - google punishes such things.
Any time you use last-4 as something secure, you're doing it wrong.
As mentioned above, last-4 is sent by email frequently, and email passes, unencrypted, through intermediate servers all over the Internet. Any compromised host can observe all of the email that passes through it.
Any process that uses last-4 to unlock a password or otherwise as a secure token is broken by design.
On the other hand, I think that proprietarily-generated data would be fair game if anonymized. A massive data set showing how people's usage of a given service varies based on age, geography, type of phone, whatever -- I think selling that to a third party would be morally and ethically defensible. [0]
There are likely a lot of edge cases here (the LinkedIn example above might be one), and it's an interesting topic. With all that said, recycling all of Homejoy's users' account info into a new enterprise without their explicit consent seems pretty plainly wrong to me.
Prediction: the fact that there's still no word from @sama or @paul probably means that they're working hard to provide a clear and decisive written response to this incident -- probably one that amounts to a new YC policy of some sort.
[0]: IANAL and not sure whether the possibility of an eventual sale of such user-generated data would need to be mentioned in the service's T&Cs from the get-go.
More importantly, this is gratuitously personal. Stalking expeditions are not welcome on Hacker News, whatever one's opinion of the story at hand. Please don't do this on this site.
We detached this subthread from https://news.ycombinator.com/item?id=10467925 and marked it off-topic.
How did you get my information? We acquired Homejoy’s domain and customer information through an ABC process. Our intention is to improve and then relaunch Homejoy’s cleaning service. We were testing a new model using Fly Maids, one of our testing brands. As evidenced today, we made some mistakes.
Why is your email and website so misleading? When we contacted customers, we didn’t tell them we were Homejoy relaunching because we wanted to gauge reception to our new model without the influence of Homejoy’s brand.
As a result, we scared many customers, who expected the worst had happened to their data. We should have told customers upfront who we were, what we were testing, and used original content.
Do you have my credit card info? No, as of Oct 28 2015, we deleted all credit card info, including the last 4 digits. Also, the Homejoy Stripe account has been permanently shut down so no one can get access to it in any manner.
At no point did we ever charge a Homejoy customer’s credit card.
How do I delete my account information to ensure that it is not used in any way? Please go here http://goo.gl/forms/YPdJlYJ9Pn
You can't write that off as simply being an honest mistake or testing new ideas.
You went to college. That's plagiarism.
https://cdn-images-1.medium.com/max/1600/1*dLlQGvWTeMTB7PT_n...
Good luck.
It's at the very least dishonest if not of questionable legality to shut down your old company to try to avoid lawsuits and / or debts, start a new company and sell yourself your old assets. I really hope that isn't what you're doing / did. Because that would be pretty low-brow kind of stuff.
https://archive.org/download/archiveteam_archivebot_go_20150...
https://archive.org/download/archiveteam_archivebot_go_20150...
https://archive.org/download/archiveteam_archivebot_go_20150...
In my case one of our founders purchased the domain name and the "good will of the company", and continued to run the company under that name as a "trading name". The actual company entity going forward was completely different.
1. You now acknowledge you intentionally lied to customers by saying you were redirecting them to a "partner", but it's the same company under a different name.
2. You don't hold that data under a payment provider like Stripe, and yet you claim to have PCI-DSS compliance but are violating it and risking a lot of customer credit card data!
You now say you have deleted that data, but how are we meant to believe you? Where was that data stored? Locally or with Stripe? Why didn't you encrypt it?
How did you "acquire Homejoy’s domain and customer information through an ABC process"? How does that even work?!
It's not a question of what I use those digits for, it's a question of what everyone else uses them for.
Last evening GMT this submission was in fourth place when by points/comments/age it should have been first.
User flagging is the most charitable interpretation.
edit: now at position 54, 1078 points, 315 comments, 16 hours ago. At position 53 is a story from 17 hours ago, 69 points, 13 comments (https://news.ycombinator.com/item?id=10466419)
To me, this sounds like "As founder, I had access to all of Homejoy's data, so I just took it with me."
You could say the same about bigger "success" stories (let's say Airbnb). They're actively ignoring laws that make their business look better. Regardless of how you feel about whether the laws are just or not, how does that reflect on YC to have one of their biggest success stories blatantly ignoring laws?
I agree with your point that they are weird things to bring up, but how is that "stalking"? It's looking at 3 very public profile pages, which requires almost no effort to look at. Unless you've edited the post to remove information, that seems entirely benign. There's absolutely 0 expectation of privacy with those pages, and almost by definition were created to allow access for the general public to that information.
That aside, if we assume the data was acquired appropriately, it makes the questionable behavior[1] all the more baffling.
Maybe, _maybe_, for offline testing with small focus groups. But even then, what's the point? You could just show them the competitor site and ask what the dis/like..
Why? Because the two thing you need to run a professional housecleaning service are access to people's houses and their credit card numbers. Maintaining this access demands far more judgement, care, and integrity than Aaron Cheung is ever likely to have.
Sure, it's public data, but so are lots of things. When you search them out and compile them, you create something different than the scattered pieces. To do that and use it to attack somebody, or insinuate about them personally, crosses a line we shouldn't cross here.
I suspect crabasa meant no harm, was just being curious and participating in the discussion, but in these cases the group dynamic tends quickly to get a lot uglier than the sum of our individual motives.
Not defending the rest of the site. Just pointing out what I felt was not a problem. There are plenty of problems to go around, though.
Also make it legally solid enough that even if there was a lawsuit, the cost of the lawsuit would be higher than the worth of the data.
"i can't be 100% sure but i think people choose to work here because they believe homejoy is not just another cool startup; it’s a mission; it's a passion. we're building things that enable and will change the way people live and work. this is not an overnight venture; we know it'll take a long time, and we’re all committed to it."
Yeah, that's not miopic, self-important and delusional at all.
