←back to thread

Didn’t Homejoy Shut Down?

(medium.com)
1121 points alokedesai | 5 comments | 28 Oct 15 19:51 UTC | HN request time: 0s | source
Show context
aarontcheung ◴[28 Oct 15 22:42 UTC] No.10467925[source]
I'm one of the founders of Homejoy. I'm still very passionate about the home service space. After leaving Homejoy, I started FlyMaids, where we're exploring a few different angles on the space.

We recently acquired the customer and service provider data from Homejoy.

We're a small team that has been focused on moving quickly while bootstraping. We tried to quickly test different approaches, but we realize now that we did so in an unclear manner. We recognize the need to use the data we acquired responsibily. As a result, we're taking the site down, and we're going to do a better job with our testing moving forward.

replies(30): >>10467939 #>>10467957 #>>10467983 #>>10467987 #>>10467997 #>>10468007 #>>10468009 #>>10468010 #>>10468016 #>>10468028 #>>10468043 #>>10468068 #>>10468072 #>>10468078 #>>10468091 #>>10468187 #>>10468193 #>>10468221 #>>10468225 #>>10468376 #>>10468464 #>>10468597 #>>10468684 #>>10468700 #>>10468782 #>>10468805 #>>10468825 #>>10469434 #>>10472300 #>>10505131 #
jasonlaramburu ◴[28 Oct 15 23:11 UTC] No.10468078[source]
Aaron, I was a homejoy customer. I am frustrated and concerned that my credit card # was sold to another company without my consent. How can users opt-out of having their data sold to flymaids (or any future ventures)? The fact that flymaids' site is a poorly-built clone of a competitor's site also makes me scared that my data is not being protected.
replies(2): >>10468112 #>>10468330 #
nostromo ◴[28 Oct 15 23:20 UTC] No.10468112[source]
Your CC is probably safe on Stripe's servers.

Which makes me wonder -- does Stripe allow entire accounts to change hands willy-nilly like this?

replies(8): >>10468145 #>>10468147 #>>10468152 #>>10468175 #>>10468176 #>>10468458 #>>10468492 #>>10469441 #
noneTheHacker ◴[29 Oct 15 00:33 UTC] No.10468458[source]
Yes, Stripe makes it SUPER simple for accounts to change hands.

I bought a small business from a brokerage site.

He transferred the Stripe account to me no problem. It was as simple as me making a Stripe user account and then him adding me to the account he used for the business and then me removing him.

The entire process took minutes. It took about 3 weeks for PayPal.

https://support.stripe.com/questions/change-account-owner

replies(1): >>10468496 #
chris_wot ◴[29 Oct 15 00:44 UTC] No.10468496[source]
According to Stripe, they require evidence you comply with PCI-DSS. I'm interested, did they ask you for this?
replies(1): >>10468541 #
ceejayoz ◴[29 Oct 15 00:56 UTC] No.10468541[source]
As long as you're using their JS solutions so credit card data never ever goes through your servers (even temporarily), PCI-DSS compliance on Stripe just means serving the payment page over SSL.

https://support.stripe.com/questions/do-i-need-to-be-pci-com...

replies(1): >>10469467 #
1. nerdy ◴[29 Oct 15 05:36 UTC] No.10469467{3}[source]
Except this article says it is not served over SSL. There's even a huge graphic with an arrow pointing it out.

https://cdn-images-1.medium.com/max/1600/1*dLlQGvWTeMTB7PT_n...

replies(2): >>10469577 #>>10470544 #
2. jessedhillon ◴[29 Oct 15 06:24 UTC] No.10469577[source]
That could just be the last four digits. When you create a token with Stripe, you do still get those back. Conceivably, they're showing 12 asterisks and the naked last four, while retaining the token Homejoy used with you so they can recharge -- although in order to do that, they would need Homejoy's Stripe API secret.
replies(1): >>10469756 #
3. shkkmo ◴[29 Oct 15 08:10 UTC] No.10469756[source]
The last four digits are still plenty sensitive enough to make serving them over http blatantly irresponsible.
replies(1): >>10469938 #
4. chris_wot ◴[29 Oct 15 09:31 UTC] No.10469938{3}[source]
It's not just that - it allows you to update your credit card over unencrypted http.
5. ceejayoz ◴[29 Oct 15 12:46 UTC] No.10470544[source]
Yes. That's a problem, certainly. I'm just pointing out that Stripe's "are you PCI compliant" process is pretty low-key.