Most active commenters
  • ceejayoz(3)

←back to thread

Didn’t Homejoy Shut Down?

(medium.com)
1121 points alokedesai | 22 comments | 28 Oct 15 19:51 UTC | HN request time: 1.7s | source | bottom
Show context
aarontcheung ◴[28 Oct 15 22:42 UTC] No.10467925[source]
I'm one of the founders of Homejoy. I'm still very passionate about the home service space. After leaving Homejoy, I started FlyMaids, where we're exploring a few different angles on the space.

We recently acquired the customer and service provider data from Homejoy.

We're a small team that has been focused on moving quickly while bootstraping. We tried to quickly test different approaches, but we realize now that we did so in an unclear manner. We recognize the need to use the data we acquired responsibily. As a result, we're taking the site down, and we're going to do a better job with our testing moving forward.

replies(30): >>10467939 #>>10467957 #>>10467983 #>>10467987 #>>10467997 #>>10468007 #>>10468009 #>>10468010 #>>10468016 #>>10468028 #>>10468043 #>>10468068 #>>10468072 #>>10468078 #>>10468091 #>>10468187 #>>10468193 #>>10468221 #>>10468225 #>>10468376 #>>10468464 #>>10468597 #>>10468684 #>>10468700 #>>10468782 #>>10468805 #>>10468825 #>>10469434 #>>10472300 #>>10505131 #
1. jasonlaramburu ◴[28 Oct 15 23:11 UTC] No.10468078[source]
Aaron, I was a homejoy customer. I am frustrated and concerned that my credit card # was sold to another company without my consent. How can users opt-out of having their data sold to flymaids (or any future ventures)? The fact that flymaids' site is a poorly-built clone of a competitor's site also makes me scared that my data is not being protected.
replies(2): >>10468112 #>>10468330 #
2. nostromo ◴[28 Oct 15 23:20 UTC] No.10468112[source]
Your CC is probably safe on Stripe's servers.

Which makes me wonder -- does Stripe allow entire accounts to change hands willy-nilly like this?

replies(8): >>10468145 #>>10468147 #>>10468152 #>>10468175 #>>10468176 #>>10468458 #>>10468492 #>>10469441 #
3. johnsalzarulo ◴[28 Oct 15 23:27 UTC] No.10468145[source]
I was wondering the same thing about Stripe or any of the big credit card processors. That'd be shady.
4. jasonlaramburu ◴[28 Oct 15 23:27 UTC] No.10468147[source]
Are they using stripe on the new site(s)? Looks like those have all been taken down.
replies(1): >>10468234 #
5. TimSchumann ◴[28 Oct 15 23:29 UTC] No.10468152[source]
My guess is the account never changed hands. Stripe can't really prevent a legitimate owner of an account from doing something stupid with it. At least, not until after the fact.
6. carrja99 ◴[28 Oct 15 23:33 UTC] No.10468175[source]
Most likely they just have the same API keys
7. staringispolite ◴[28 Oct 15 23:34 UTC] No.10468176[source]
I was also thinking through which rules would apply here. (What entity owns a Stripe account? What constitutes a transfer of data? How does this case differ from say, an acquisition?)

The medium article only shows info you can get from a Stripe card_id request. Not using https on that page is troublesome, but I don't think there's any evidence to suggest FlyMaids (or even HomeJoy) ever had access to actual CC information.

It seems more likely that this depends on Homejoy's ToS/Privacy Policy. (Although it's certainly possible the transfer was done in a way that violates Stripe's policies, I'm just not familiar with those)

Edit: It might even be the same business entity with different d.b.a names. Good discussion here: https://news.ycombinator.com/item?id=10468161

8. justinzollars ◴[28 Oct 15 23:43 UTC] No.10468234{3}[source]
If so this information should be deleted. If I were effected I would be pissed.

I hope someone at Stripe responds because this is a personal data issue.

9. detaro ◴[29 Oct 15 00:02 UTC] No.10468330[source]
If they keep data in Stripe, you should contact Stripe about it. I'd be interested in what they have to say.
10. noneTheHacker ◴[29 Oct 15 00:33 UTC] No.10468458[source]
Yes, Stripe makes it SUPER simple for accounts to change hands.

I bought a small business from a brokerage site.

He transferred the Stripe account to me no problem. It was as simple as me making a Stripe user account and then him adding me to the account he used for the business and then me removing him.

The entire process took minutes. It took about 3 weeks for PayPal.

https://support.stripe.com/questions/change-account-owner

replies(1): >>10468496 #
11. jmathai ◴[29 Oct 15 00:43 UTC] No.10468492[source]
Doesn't look like it is stored (only) with Stripe. The profile section of the site (per the blog post screenshot) displays some of the credit card info.
replies(1): >>10468568 #
12. chris_wot ◴[29 Oct 15 00:44 UTC] No.10468496{3}[source]
According to Stripe, they require evidence you comply with PCI-DSS. I'm interested, did they ask you for this?
replies(1): >>10468541 #
13. ceejayoz ◴[29 Oct 15 00:56 UTC] No.10468541{4}[source]
As long as you're using their JS solutions so credit card data never ever goes through your servers (even temporarily), PCI-DSS compliance on Stripe just means serving the payment page over SSL.

https://support.stripe.com/questions/do-i-need-to-be-pci-com...

replies(1): >>10469467 #
14. ceejayoz ◴[29 Oct 15 01:06 UTC] No.10468568{3}[source]
Stripe's API returns the last four digits for a tokenized card so you can display them to users.
replies(2): >>10469059 #>>10469774 #
15. tcdent ◴[29 Oct 15 03:25 UTC] No.10469059{4}[source]
It's also intentionally difficult to gain access to the customer's card number on checkout. All the server is allowed to receive is a unique token representing the customer to complete the transaction with. Pretty clever, but I suppose not impossible to workaround.
16. nandemo ◴[29 Oct 15 05:26 UTC] No.10469441[source]
True, they probably don't have the full card numbers. But if the new business can charge my card, then I don't think my card info is "safe".
17. nerdy ◴[29 Oct 15 05:36 UTC] No.10469467{5}[source]
Except this article says it is not served over SSL. There's even a huge graphic with an arrow pointing it out.

https://cdn-images-1.medium.com/max/1600/1*dLlQGvWTeMTB7PT_n...

replies(2): >>10469577 #>>10470544 #
18. jessedhillon ◴[29 Oct 15 06:24 UTC] No.10469577{6}[source]
That could just be the last four digits. When you create a token with Stripe, you do still get those back. Conceivably, they're showing 12 asterisks and the naked last four, while retaining the token Homejoy used with you so they can recharge -- although in order to do that, they would need Homejoy's Stripe API secret.
replies(1): >>10469756 #
19. shkkmo ◴[29 Oct 15 08:10 UTC] No.10469756{7}[source]
The last four digits are still plenty sensitive enough to make serving them over http blatantly irresponsible.
replies(1): >>10469938 #
20. jmathai ◴[29 Oct 15 08:20 UTC] No.10469774{4}[source]
Thanks for clarifying that. Did not know.
21. chris_wot ◴[29 Oct 15 09:31 UTC] No.10469938{8}[source]
It's not just that - it allows you to update your credit card over unencrypted http.
22. ceejayoz ◴[29 Oct 15 12:46 UTC] No.10470544{6}[source]
Yes. That's a problem, certainly. I'm just pointing out that Stripe's "are you PCI compliant" process is pretty low-key.