(medium.com)

1. livejamie ◴[28 Oct 15 20:09 UTC] No.10467017[source]▶

My old Homejoy login doesn't work on that site, and doing "forgot your password" gives an error of "user does not exist" for the email I used with Homejoy.

replies(1): >>10467040 #

2. kornish ◴[28 Oct 15 20:11 UTC] No.10467040[source]▶

>>10467017 (TP) #

They're probably not porting over accounts by default, but rather waiting for users to express interest by clicking the link in the marketing email.

From the original post:

> Worst still, as I navigated around the site I realized the email link I clicked logged me into “My Account”. This screen had lots of my personal information, home address, email, even my credit card number.

replies(1): >>10467158 #

3. chris_wot ◴[28 Oct 15 20:28 UTC] No.10467158[source]▶

>>10467040 #

So hold on... If we can work out how they encoded those activation URLs, or someone intercepts the email then they can get full access to anyone's account?

I have zero sympathy for HomeJoy. They failed, which is something I can gave sympathy for. But they sold all their customer's private data without notifying them of this fact, and caused major security concerns in the process!

replies(1): >>10467336 #

4. pavel_lishin ◴[28 Oct 15 20:54 UTC] No.10467336{3}[source]▶

>>10467158 #

We don't actually know what happened here. It could have been just one founder doing something shady; it could have been a hack; it could be something we can't imagine yet.

Let's not break out the pitchforks until we know who to point them at.

replies(2): >>10467554 #>>10468021 #

5. ◴[28 Oct 15 21:27 UTC] No.10467554{4}[source]▶

>>10467336 #

6. chris_wot ◴[28 Oct 15 22:59 UTC] No.10468021{4}[source]▶

>>10467336 #

Actually, I'm breaking out the pitchforks. One of the requirements for PCI compliance is that you do NOT hold credit card data for any longer than absolutely required. Given HomeJoy was not doing any more billing of credit cards, these should have been removed from their system.

↑

Didn’t Homejoy Shut Down?