I'm one of the founders of Homejoy. I'm still very passionate about the home service space. After leaving Homejoy, I started FlyMaids, where we're exploring a few different angles on the space.
We recently acquired the customer and service provider data from Homejoy.
We're a small team that has been focused on moving quickly while bootstraping. We tried to quickly test different approaches, but we realize now that we did so in an unclear manner. We recognize the need to use the data we acquired responsibily. As a result, we're taking the site down, and we're going to do a better job with our testing moving forward.
I'm starting to read "passionate about" as "wanting to make money of". I have to make an effort to read it in the classical sense. I fear the same will happen with "share". And when my kids talk about sharing at school I will only think of flooding with memes or of selling things.
Now, I'm not a native english speaker, so I can't say if aarontcheung is misusing the term or not. Is this change happening to the english culture as a whole? Or am I reading way too many silicon valley articles?
I hear a lot of people using "passionate about" to mean "committed to" because it prevents others from trying to convince you that you're making a mistake.
just another bullshit marketing term. I cannot believe these type of people really think that those reading it will go "wow this guy really cares about some low paid worker cleaning my house well, I will go with them".
"i can't be 100% sure but i think people choose to work here because they believe homejoy is not just another cool startup; it’s a mission; it's a passion. we're building things that enable and will change the way people live and work. this is not an overnight venture; we know it'll take a long time, and we’re all committed to it."
Yeah, that's not miopic, self-important and delusional at all.
Aaron, I was a homejoy customer. I am frustrated and concerned that my credit card # was sold to another company without my consent. How can users opt-out of having their data sold to flymaids (or any future ventures)? The fact that flymaids' site is a poorly-built clone of a competitor's site also makes me scared that my data is not being protected.
Yes, Stripe makes it SUPER simple for accounts to change hands.
I bought a small business from a brokerage site.
He transferred the Stripe account to me no problem. It was as simple as me making a Stripe user account and then him adding me to the account he used for the business and then me removing him.
The entire process took minutes. It took about 3 weeks for PayPal.
As long as you're using their JS solutions so credit card data never ever goes through your servers (even temporarily), PCI-DSS compliance on Stripe just means serving the payment page over SSL.
That could just be the last four digits. When you create a token with Stripe, you do still get those back. Conceivably, they're showing 12 asterisks and the naked last four, while retaining the token Homejoy used with you so they can recharge -- although in order to do that, they would need Homejoy's Stripe API secret.
I was also thinking through which rules would apply here. (What entity owns a Stripe account? What constitutes a transfer of data? How does this case differ from say, an acquisition?)
The medium article only shows info you can get from a Stripe card_id request. Not using https on that page is troublesome, but I don't think there's any evidence to suggest FlyMaids (or even HomeJoy) ever had access to actual CC information.
It seems more likely that this depends on Homejoy's ToS/Privacy Policy. (Although it's certainly possible the transfer was done in a way that violates Stripe's policies, I'm just not familiar with those)
My guess is the account never changed hands. Stripe can't really prevent a legitimate owner of an account from doing something stupid with it. At least, not until after the fact.
Doesn't look like it is stored (only) with Stripe. The profile section of the site (per the blog post screenshot) displays some of the credit card info.
It's also intentionally difficult to gain access to the customer's card number on checkout. All the server is allowed to receive is a unique token representing the customer to complete the transaction with. Pretty clever, but I suppose not impossible to workaround.
Why did you copy Handy's site verbatim? Why did you not give customers the option to opt-in to your new venture? Why did you post the logos of news organizations that had never written you up?
> We recently acquired the customer and service provider data from Homejoy.
That's all you really need to know about FlyMaids and Homejoy. If I ran a startup into the ground I would never ever betray my customers by selling their data!
> When you run a business into the ground, some decisions about what you sell get taken over by courts, at the direction of your creditors.
This is true, but a lot of this "story" still seems strange, especially in light of the fact that all of the sites that appear to be associated with Cheung's new venture have been taken offline.
There are a number of well-funded players in this space, some of which might have an interest in acquiring Homejoy's data. How did the twenty-something co-founder of the failed business come to acquire the data? Did outside investors provide funding for the new venture and its acquisition of the data? Were any of those investors also investors in Homejoy? Why weren't former Homejoy customers simply informed that another company had acquired their information in an honest, transparent fashion (the way most companies handle transactions of this nature)?
It's worth pointing out that the email Cheung sent to former Homejoy customers about FlyMaids stated that FlyMaids "work[s] with Homejoy's best cleaners."
If that is true, it would appear this new venture is essentially just Homejoy reincarnated, begging questions about Homejoy's liabilities. Assuming the lawsuits against Homejoy haven't settled, I'd imagine the attorneys behind those lawsuits might have an interest in what's going on.
The founder says he acquired the data through an assignment for the benefit of creditors. I'm not an expert in ABCs, but my understanding is that the assignee in this process has a fiduciary duty to creditors and therefore must attempt to maximize the liquidation price of the company's assets. So I'm still curious as to how the twenty-something co-founder of the failed business acquired the data.
That aside, if we assume the data was acquired appropriately, it makes the questionable behavior[1] all the more baffling.
You're trusting that they or their acquirers will honor the contracts that they have with you. In the case of Homejoy, my assumption is that the claims/promises they made constitute a contract with their users that limits their ability to make use of your data outside the described scope. IANAL, but I think there's a reason we don't regularly hear about things like this - it's actually hard to do without getting sued.
Why? Because the two thing you need to run a professional housecleaning service are access to people's houses and their credit card numbers. Maintaining this access demands far more judgement, care, and integrity than Aaron Cheung is ever likely to have.
A contract requires mutual consideration. Whatever someone says in their dying breath doesn't constitute a contract. A last will, perhaps, but not a contract. (To my knowledge, estate law does not apply to corporations.)
This shouldn't be downvoted. It's far from unreasonable to attribute these moves to following the "hack/hustle" ethos we hear all the time in Startupland. "Passion" + "exploring" + "small team" + "moving quickly" + "bootstrapping" + "quickly test". It's all there, folks.
Yet without HTTPS anyone changing or entering new credit card info is at risk on this site. There's also personal information like where to find spare keys and stuff; it should be a lot more secure than this.
Any time you use last-4 as something secure, you're doing it wrong.
As mentioned above, last-4 is sent by email frequently, and email passes, unencrypted, through intermediate servers all over the Internet. Any compromised host can observe all of the email that passes through it.
Any process that uses last-4 to unlock a password or otherwise as a secure token is broken by design.
I wanted to follow up and address some concerns mentioned in this thread, and acknowledge that I definitely made mistakes.
How did you get my information?
We acquired Homejoy’s domain and customer information through an ABC process. Our intention is to improve and then relaunch Homejoy’s cleaning service. We were testing a new model using Fly Maids, one of our testing brands. As evidenced today, we made some mistakes.
Why is your email and website so misleading?
When we contacted customers, we didn’t tell them we were Homejoy relaunching because we wanted to gauge reception to our new model without the influence of Homejoy’s brand.
As a result, we scared many customers, who expected the worst had happened to their data. We should have told customers upfront who we were, what we were testing, and used original content.
Do you have my credit card info?
No, as of Oct 28 2015, we deleted all credit card info, including the last 4 digits. Also, the Homejoy Stripe account has been permanently shut down so no one can get access to it in any manner.
At no point did we ever charge a Homejoy customer’s credit card.
How do I delete my account information to ensure that it is not used in any way?
Please go here http://goo.gl/forms/YPdJlYJ9Pn
If I was party to a lawsuit in which a company like Homejoy was the defendant, and a similar situation happened, I'd definitely be interested in finding out how one of it's co-founders "acquired" the customer database / IP, for how much, if it went to public tender, and if not, why not -- and I'd certainly be asking a judge to join whatever the new entity is called to the case as a co-defendant with shared liability.
It's at the very least dishonest if not of questionable legality to shut down your old company to try to avoid lawsuits and / or debts, start a new company and sell yourself your old assets. I really hope that isn't what you're doing / did. Because that would be pretty low-brow kind of stuff.
1. You now acknowledge you intentionally lied to customers by saying you were redirecting them to a "partner", but it's the same company under a different name.
2. You don't hold that data under a payment provider like Stripe, and yet you claim to have PCI-DSS compliance but are violating it and risking a lot of customer credit card data!
You now say you have deleted that data, but how are we meant to believe you? Where was that data stored? Locally or with Stripe? Why didn't you encrypt it?
How did you "acquire Homejoy’s domain and customer information through an ABC process"? How does that even work?!
Regarding the last point on continued access to account information: opting-out from this is much worse than opting-in. Think of all the people who used homejoy and don't read HN - wouldn't they want the same?
I was not a Homejoy customer but from a general point of view I reckon you need to communicate to all the customers in your file and clearly let them know the truth about everything. That is the only way that you can redeem yourself from this.
>Aaron Cheung, I would appreciate it if you didn't taint YC's brand with your questionable business practices.
You could say the same about bigger "success" stories (let's say Airbnb). They're actively ignoring laws that make their business look better. Regardless of how you feel about whether the laws are just or not, how does that reflect on YC to have one of their biggest success stories blatantly ignoring laws?
In my experience, life is easier when you admit your mistakes without business speak, and just take the blame (for example: "I" instead of "We"). I've written a lot of mea culpas for mistakes which impacted customers, and the more direct and transparent I was, the better responses I always got.
You made a mistake, you know you made a mistake. Admit it, apologize, and move on. Your excuses or context probably aren't going to help your cause.
When that mistake might be very costly litigation-wise, and anything you say/do might be brought up in court, it's time to break out the business speak and obfuscate like there is no tomorrow.
Maybe. That sort of nonsense may decrease the odds of losing a lawsuit. But you increase your odds of having a lawsuit, because you leave more people mad at you.
That might be a good choice for a large company, as they already have lawyers on staff, can afford to pay for a lawsuit, and have enough money to advertise away the reputational stain.
I'm not sure it's a good idea for a startup, though. Unless you are well funded, just dealing with a lawsuit could be fatal given the reputational cost, the legal bills, and the amount of founder time that will get soaked up. Personally, I'd try to be human and humane about it.
Agreed, I think it would be better to be frank and honest in this situation. Just trying to provide some kind of rationale for why he responded in such a business-like manner.
I'm actually tempted to write a response so harsh I'd probably be banned from hacker news.
Instead I genuinely hope that YC will force companies taking the 7% into a no selling on data policy; I'm not saying that is easy to write but I am saying this situation without response smears YC, something I'm sure could be avoided in future.
"Instead I genuinely hope that YC will force companies taking the 7% into a no selling on data policy"
I did a paper on (sort of) this in law school. My focus was on civil law systems and I'm not claiming I'm the world's foremost expert on this topic.
With that out of the way, it's not that easy. When a company goes bankrupt, it doesn't have a say on what happens to its assets. Furthermore, a liquidator doesn't have to honor commitments made by the company. (this is also why 'software escrow' in the cheap form that is implemented so often is, imo, legally on shaky ground - this was the actual topic of my paper).
So what are the options? One is to put the 'ownership' of customer data (what that means exactly is a whole discussion in itself) into a separate company. But that company can't be owned by the 'real' company, it's tricky in many way. And costly. And makes things (very) difficult, operationally. And it takes away the ownership of a critical asset, making it near impossible to get investment (because who will invest in a company that doesn't 'own' its customer data?) Etc. I don't think anyone follows through on their claims of being 'careful with customer data' to this extent, but then again, of course I don't know the operations of every company in the world.
Basically, once you are in a database of a company, and if that database is worth anything, you are up shit creek when that company goes bust - good intentions and promises do not matter one bit. A new guy comes in who doesn't care about his 'reputation' in the field the company was in, who has a legal duty to get the highest price for any assets, and who is not bound by anything the company did or said. It doesn't take a law degree to figure out how that works out for the 'privacy' of the (former) users/customers.
What about a legal agreement with the users that the information will be deleted before a bankruptcy is filed and if they fail to deliver, then the users are owed so much for failure to deliver on the contract (and this debt is created in such a way it takes priority over other debt). Make the debt big enough that anyone owed money for a reason other than this deal (so investors and such) would see a greater payout by deleting the information and selling the other assets with their normal claim to its worth than by attempting to sell the customer data and split the proceeds with all the users.
Also make it legally solid enough that even if there was a lawsuit, the cost of the lawsuit would be higher than the worth of the data.
Brilliant idea, it's essentially you are giving a permanent license to your info; the problem below is a real one though, the investments we are seeing are often clearly hedged against resale of data... A rather scary market when Stripe will just charge credit cards if you have a users token!
I think a "no selling personal data" policy would make sense...user profiles, email addresses, credit cards, mailing addresses, photos, relationships with other users (e.g., if LinkedIn went out of business they shouldn't be able to sell the list of people to whom I am first-degree connected)
On the other hand, I think that proprietarily-generated data would be fair game if anonymized. A massive data set showing how people's usage of a given service varies based on age, geography, type of phone, whatever -- I think selling that to a third party would be morally and ethically defensible. [0]
There are likely a lot of edge cases here (the LinkedIn example above might be one), and it's an interesting topic. With all that said, recycling all of Homejoy's users' account info into a new enterprise without their explicit consent seems pretty plainly wrong to me.
Prediction: the fact that there's still no word from @sama or @paul probably means that they're working hard to provide a clear and decisive written response to this incident -- probably one that amounts to a new YC policy of some sort.
[0]: IANAL and not sure whether the possibility of an eventual sale of such user-generated data would need to be mentioned in the service's T&Cs from the get-go.
Do you realize that the post is less about FlyMaids being "unclear" and more about it being completely dishonest, as well as using user data provided to HomeJoy without the permission of those users?
> Cleaner Connect is not an employer, but simply connects independent service professionals with customers
Your Homejoy co-founder stated lawsuits over worker misclassification were the "deciding factor" in the decision to wind Homejoy down[1]. Assuming cleanerconnect.com is indeed part of your new venture, the above suggests your "testing" involves the same flawed contracting strategy that contributed to Homejoy's demise.
2. Your email to former Homejoy customers encourages them to use a "partner" service. You fail, however, to disclose that you are actually a principal of the "partner" business. Additionally, your comment suggests that FlyMaids is not actually a partner of a company that is supposedly winding down but rather is the acquirer of certain Homejoy assets.
3. As far as I can tell, neither FlyMaids or Homeaglow were ever featured by Oprah, The New York Times, etc., yet this claim is/was being made on their sites.
>3. As far as I can tell, neither FlyMaids or Homeaglow were ever featured by Oprah, The New York Times, etc., yet this claim is/was being made on their sites.
Thank you. I asked the same question below and got some downvotes for it. Falsifying things like that is a big sham. I see on homeaglow, the company claims more features on Rachels (whatever that is).
>We're a small team that has been focused on moving quickly while bootstraping. We tried to quickly test different approaches, but we realize now that we did so in an unclear manner.
Sometimes moving quickly isn't the best although most people say launch fast. Being that homejoy didn't do well,why didn't you take time to research well what you want to do next instead of copying a competitors site word for word?
Also, in the email to the person who wrote the article, you referred to flymaids as a "partner". Why not just come out and say it is your company?
Dude, you weren't unclear. You literally lied by copying customer testimony to mislead. At least apologize or take some responsibility. Id honestly rather you not say anything than this extremely weak response.
"When a management with a reputation for brilliance tackles a business with a reputation for bad economics, it is the reputation of the business that remains intact." -- Warren Buffett.
Why not get out now, lay low for a bit, take a job, learn another industry, and then save up to try again another day?
It is completely unacceptable that you have kept your customer's credit card details. You are completely violating Requirement 3.1 of the latest PCI-DSS (which has been the same since I looked at v2.x of the standard, incidentally):
3.1 Keep cardholder data storage to a minimum by implementing data retention
and disposal policies, procedures and processes that include at least the
following for all cardholder data (CHD) storage:
Limiting data storage amount and retention time to that which is required
for legal, regulatory, and/or business requirements
Specific retention requirements for cardholder data
Processes for secure deletion of data when no longer needed
A quarterly process for identifying and securely deleting stored cardholder
data that exceeds defined retention.
You might be trying to reboot your business, but your Comms didn't say that you were dealing with the same company owners. You also appear to have ripped off a competitors website.
You don't sound very trustworthy or reliable. If you can't keep to at least the PCI-DSS standards, what makes you think anyone can trust you moving forward?
I am going to sound contrarian, but I don't mean to be.
How does this violate PCI-DSS? The data itself is likely stored somewhere secure (who knows) – what's being displayed in the web app is the last four digits of the card and expiration date, this isn't where it's stored.
There is obviously a question of what the retention should be, but it's definitely the case that payment information can be transferred between companies.
The whole situation exudes a lack of trust, but it's not clear to me that PCI compliance is a problem here.
I thought it was pretty clear, but I'm willing to elaborate.
The requirement is that card data is securely removed when it is no longer required. They are no longer billing customers at HomeJoy as the business has been wound up, so the credit card data should have been deleted.
Also: no customer has given them any right to have their credit card billed to an entirely new entity. Credit card information should not be transferred due to sale of customer data to an entirely separate legal business entity because no contract of sale has been established between the customer and that new entity.
Yeah, I get your position (hopefully!), but I think I'd rather hear from a lawyer whether this is OK or not, my guess is that it is OK.
The snippet you pasted says also:
... regulatory, and/or business requirements
A business that is going out of business may treat this data as a business asset and may need to retain it for a certain period even when they are inactive.
Most terms of service do allow for transfer of account information to third parties, and have contingencies for what happens to the data if the company goes under, and as far as I'm aware, selling that customer data is an option unless they've explicitly said they won't.
As long as the credit card data is transferred in a PCI compliant way, it's legal.
You're absolutely right that it would be a serious violation if they were to charge someone without their knowledge, it doesn't look like that's happened yet.
It's also quite possible the underlying business entity is still Homejoy with a name change. ZenPayroll* didn't have to get people's permission to charge them when they changed their name to Gusto, but it obviously helps to communicate that change very clearly!
I am pretty sure we generally agree, though, it's very clear that there are dozens of egregiously bad things being done by Aaron and his team that can only hurt them and their desired future customers.
Yeah, you don't need to be a lawyer to implement PCI-DSS. You are entirely missing the following dot point:
"Processes for secure deletion of data when no longer needed"
Those dot points aren't using a disjunction, they must ALL be followed. The standard is very, very clear on that point: once you don't need the data, you securely delete it.
That makes sense, incidentally. If you no longer have the data anywhere, then nobody can get to it even if they compromise your systems and gain access to your credit card lists.
If your company winds down and you no longer bill your customers, you are absolutely required by PCI-DSS (and good security practice!) to delete that data.
As for HomeJoy being the same legal entity, that's not the way that the email sent from HomeJoy reads. It says that Fly Maids is their partner, not the same organisation.
That HomeJoy hasn't done this says to me they are cavalier with their customers data at best. I would not trust them with my credit card details, nor would I be happy letting them into my home.
I'm not entirely missing the point, but I don't know enough about the PCI-DSS to be too much of a contrarian here :)
Processes for secure deletion of data when no longer needed
Is "needed" defined anywhere?
As far as I can tell this requires companies to create a plan – that plan could be very different between companies.
I highly doubt Homejoy/Fly Maids is maintaining the data themselves, it's probably stored in Stripe, so unless they are actually storing credit card data in a non PCI compliant way, they are probably fine, right?
Let me restate what I think you're saying though:
When they shut down Homejoy, they should have immediately deleted all the data they had stored in Stripe (or what ever payment system they use)?
"That HomeJoy hasn't done this says to me they are cavalier with their customers data at best. I would not trust them with my credit card details, nor would I be happy letting them into my home."
I highly doubt Homejoy/Fly Maids is maintaining the data themselves, it's probably stored in Stripe, so unless they are actually storing credit card data in a non PCI compliant way, they are probably fine, right?
No, Stripe would then be violating PCI-DSS themselves.
How could Stripe know if one of their users is out of business and should delete their data? I'm a bit confused (as you already know!)
Stripe has API calls to get the last four digits and expiration date.
Also, it's not clear that the /payments page isn't secure, the screenshot is of the Profile page.
*edit: see my reply to your other comment, didn't realize you were OP, so I will now assume you did check the payment form for security and it was not there, which is definitely even more shocking.
First, I want to apologise if my tone has been a bit off on a few of my replies.
Stripe is very unlikely to transfer credit card data to an entirely different organisation. They also require evidence of PCI compliance before they will do business with you.
As for knowing when your business is being dissolved: I have to refer you to their terms of service, found at https://stripe.com/us/terms
You agree to give us at least 30 days prior notification of your intent to change your current product or services types, your trade name, or the manner or types of payments you accept. You agree to provide us with prompt notification if you are the subject of any voluntary or involuntary bankruptcy or insolvency petition or proceeding. You also agree to promptly notify us of any adverse change in your financial condition, any planned or anticipated liquidation or substantial change in the basic nature of your business, any transfer or sale of 25% or more of your total assets or any change in the control or ownership of you or your parent entity. You will also notify us of any judgment, writ or warrant of attachment or execution, or levy against 25% or more of your total assets not later than 3 days after you obtain knowledge of it.
You are guessing, however, that they are using Stripe or another credit card provider to store that data. But given Stripe need to handle charge backs and other things, I can't see them not knowing about HomeJoy, given how public the windup was.
Yep this all makes sense. I still think there's a chance it wasn't transferred at all. Since the founder of Homejoy runs the new site it could be that they're still the same entity and business with the same stripe account. Maybe this has its own implications.
Unfortunately it sounds like the worst case for them is that enough people report them to their payment provider and they get fined. Clearly what they face there is probably not worse than the huge violation of trust their former customers will feel.
By the way thanks for digging into this so much. The Stripe TOS are darn clear here.
Not the entire card, just the last four digits and expiration date. Is there anything that says that's not allowed? The PCI is about storage of the data.
It's bonkers to display it over an insecure connection, but I don't think that it's disallowed.
At the very least, read requirement 4. The simple fact is that they were allowing customers to enter their credit card details and submit that data over HTTP.
If they were using stripe how did they pass details through onto HTTP? as far as I remember their webhook won't even communicate with an unsecure page. They must be using some other payment gateway.
I didn't follow every link you included, and didn't expect to argue about this – also, I didn't realize this was your post, my bad!
You can ignore my comment about the /payments page, I'll assume you checked that, so yeah, that's insane if you can update payment information on an insecure page.
Welp, might as well ask if no-one else is: What do you mean by 'exploring a few different angles on the space'? How is you new service going to be better than Home Joy or different? Essentially, considering what happened to Home Joy, why is it going to be different this time around? Great job on Home Joy the first time 'round, btw.
For user's to automatically log in, it appears that you didn't move data to FlyMainds as much as FlyMaids is the new face to the old HomeJoy site and database.
Typically investment contracts employ non-competes to prevent founders from starting new businesses in similar spaces. Clearly this person's previous actions aren't the most ethical but I'm curious what his strategy is around this.
It's jargon, but people definitely are like that. There are a horde of people who just want to do Bitcoin or VR or video games, for example. They're less concerned with the specific company than something about the tech, the users, or the market.
Oh, I understand being passionate about video games, or VR, or Bitcoin, or even, maybe, although it's a stretch, helping people keep their houses clean. And wanting to work in that area.
When you say you're passionate about a "space" though, I think you reveal that all you're really saying is you think you can make a lot of money in that "space". Which isn't passion at all. Well, maybe passionate about making money. Which is more like at best ambition or at worst greed, not actually passion.
While I think this is a stupid move on the founder's end and there's no debate about that, I disagree with your understanding of what "passion" is. People seem to think most passionate people are born with some sort of pre-assigned passion, but it's something that arises out of your experience and action. Just like Thomas Edison was "passionate" about what he built (but he was super greedy and an asshole too), this guy probably became obsessed with this "space" after having worked on it for such a long time, even though 5 years ago he probably didn't care about home cleaning at all.
I do not think anyone is born with a pre-assigned passion. I just still doubt you can be "passionate" about a "space". That the word "space" is used in this entrepeneurial jargon is not a coincidence. The word "space" is a lack of things, not a thing itself, a vacuum, an absence, an opportunity. An opportunity to make money, specifically. I don't think the firm belief that there's a lot of money to be made in a certain "space" is actually a "passion". Not that there's anything wrong with that, not everything needs to be a "passion". Except in the silicon valley entrepeneurial mythos, where nothing is just a business, everything is a "passion" and will change the world (presumably for the better).
You're being too cynical. Why does everything have to do with money? He didn't say he thinks there's money in this. You are the one who did. And there is not even a guarantee that there's money in this "space" either. Rather, this on-demand home-cleaning category is quite gloomy if you look at what's happening to all the companies that belong to it. Maybe you think all "opportunities" are related to money, but to many entrepreneurs it's just a secondary objective.
I agree that greed isn't passion, but "space" here is industry jargon for things like "business domain" or "market" or "customer segment". He could by lying (that is¸ saying he's passionate about something he's not) or wrong (confusing greed or familiarity or obsession for passion).
I think what genuinely defines a passion is, would you do it for free if nobody was going to pay you for it.
On such terms "Passionate about" statements are almost universally crap.
There is nothing wrong with just working for the money, all this instistence people must be "passonate" about their work smells an awful lot like cultish propaganda. It not enough to do your job and get paid, you must LOVE your job!
For me, however, the weasel-worded "we realize now that we did so in an unclear manner" is completely different than "we realize now we made a big mistake".
I find it so hard to believe that anyone could possibly think going live with a total clone of a competitor's website for "testing" is a good idea.
Maybe, _maybe_, for offline testing with small focus groups. But even then, what's the point? You could just show them the competitor site and ask what the dis/like..
Immature know-nothing who thinks he's slick but is obviously making improper (unlawful?) use of private financial information. In no other business would you give a kid millions of dollars and expect him to not waste it on shiny objects like aero chairs and not toss him on his ass when ranting Start Up Speak. I'm so passionate about my comment I think I'll change the world.
PR is difficult - especially on Hacker News. Sometimes people respond excessively harshly (which I think unfortunately makes people less likely to engage the community at all).
Bad press sucks and can be hard, it'll pass though - good to be cautious with this kind of thing in the future (which you probably will be).
I was a Homejoy customer too and don't think this is that big a deal all things considered.
>I was a Homejoy customer too and don't think this is that big a deal all things considered.
It is a big deal. He copied a competitors site word for word. He has 3 other cleaning companies and it appears people who signed up with homejoy have their info. moved to these companies. Customers need to know when their data is going to be used and they have to give consent. Perhaps this fresh article will show the severity of the matter-
http://www.businessinsider.com/aaron-cheung-brings-homejoy-c...
Digging into trademarks, incorporations and S-1's is a weird little obsession of mine..
That said, my initial findings are that Flymaids is directly related to Homejoy. Under Privacy link of Flymaids it states "In the European Union, we are Fly Maids Europe Limited, a company incorporated in England and Wales (registration number 8883585) with its registered office address at 14 Whittonditch Road, Ramsbury, Marlborough, Wiltshire, United Kingdom, SN8 2PY."
If you lookup the registration number at Wales Companies House, it shows owner as "HOMEJOY EUROPE LIMITED"
As I mentioned in another post, they don't seem to be actually registered in Deleware and there are typos related to find/replace (support@flymaids.com.com) so I'm not sure we can discount the chance someone just cut/pasted that from the original Homejoy privacy page. Homejoy's privacy page doesn't load and the wayback machine was blocked via robots.txt so we have no good way of checking that I can think of.
Also, nice to meet someone else obsessed with investigating incorporation documents. :)
This may be known already, but HOMEJOY, INC. is a Delaware corporation with the filing number: 4815336
----
As mentioned in Flymaids privacy policy, their "head office" in Delaware is actually offices to incorporate.com; a registered agent for out of state companies.
Is there any way if getting the company status without having yo pay $10? Seems bizarre you have to pay to see if the company is still in business or not!
That's the head office of Nortons accountants, who I'd imagine are handling the liquidation. Changing the registered address is normal. http://www.nortonsgroup.com/uk/global-offices
The liquidators have the power to dispose of the assets as they wish, in an attempt to return as much money to creditors (and the taxman) as possible. It's entirely possible that they've decided to try and keep some parts of the company active and have outsourced the dev work to a shady 3rd party. Alternatively they might be moving the sellable assets into a separate company which can itself be sold soon/later. Odds are that the founders weren't behind this move.
In the UK the liquidators hold the assets in a kind of trust. It is their responsibility to try and liquidate the assets to return money to the creditors.
In my case one of our founders purchased the domain name and the "good will of the company", and continued to run the company under that name as a "trading name". The actual company entity going forward was completely different.
That's a residential address, but seems to be being used as a registered office for the UK branches of a few US tech companies. e.g. Hired.com, Canvas.
Everyone is assuming that the founders sold the company data to Fly Maids, a brand-new company nobody has ever heard of before.
It's also possible one of the founders just spun up the new service themselves and copied over all of the customer records. If so, they may want to prepare to be sued by their previous investors.
It's one thing to fail after giving it the good ol' college try, but it's another entirely to strip the copper out of the walls on your way out.
Speculation aside, they should put out a statement to clarify the relationship between the companies and what's going on with their customers' data.
The site was only created in the last 3 weeks, and it was registered by someone who wanted to stay anonymous (which is, in fairness, very reasonable - Homejoy cofounder or not. Certainly not enough to draw a conclusion).
Domain registrars often include a year of "whoisguard" (namecheap's brand for it) or similar with new domain registrations. I'm never too surprised by that until it's been over a year. Or is Domains By Proxy a more significant anonymity system?
Well, according to their Privacy Policy you can just shoot them an e-mail:
> You may contact us as follows: support@flymaids.com.com
Oh wait....
[Bonus points for saying they are incorporated in Delaware who has no record of a business by that name.]
*Edit- See below, I searched the company name on the Delaware website two different ways and they certainly do not have an active registration or even a name reservation.
"In the USA/rest of the world (excluding the European Union), we are Fly Maids, Inc. (doing business as Fly Maids), a Delaware corporation with our head office at 2711 Centerville Road, Suite 400, Wilmington, New Castle County, Delaware 19808."
Trust me, it isn't there. I tried both the regular lookup and just a simple name reservation in case the paperwork hadn't gone through yet. No results for either.
Not incorporated in Delaware (as represented) nor are they qualified to do business in CA (where they are, presumably, physically located)...Probably not the company you want coordinating strangers into your home, though something tells me this is par for the SV course. You know move fast and break things, or beg forgiveness rather than ask permission. However, my advice owners/operators, they might wish to consult a lawyer to explain the basics of personal liability and benefits of corporate protections...
As part of winding down they could have sold off their data to an interested party, not different from a merger, and they further could have hired some of the old team.
If someone just copied the db and then sold or gave it on the sly, investors of former unaware, then, yes, problematic. But if it was a transaction approved by the principals of the former, unfortunately, there aren't stipulations about commutability of customer data, are there?
What's the big deal? Homejoy is just hacking startup downfunding... (/s)
I'd like to see some kind of stronger YC influence on ethics in the companies they fund. I realize that YC doesn't have any direct control over the companies, but it could be as simple as including good ethics in the traits they look for in startup founders.
A while back I started compiling a list of YC companies that spammed or otherwise behaved badly. It quickly got back-burnered by other projects, but there was AirBnB from W09, InstallMonetizer and SocialCam from W12, Zenefits from W13, Abacus and GetAirHelp from W14, Gradberry and OmniRef from W15 ... while so far it looks like the majority of YC startups are well-behaved, the trend was looking like there's a few in every batch that are willing to do shady things to meet their growth metrics.
Or, in Homejoy's case, maybe make a little more money while winding down.
YC makes it very clear they will disavow any company or founder that acts unethically. YC is strict about very few things, but this was made clear in no uncertain terms (especially by Jessica). When things go bad, YC always gets involved – even if you don't read about it online.
Don't blame YC just yet. We don't know what happened here. Maybe Homejoy went into debt, had their assets seized, and lost control (like with GigaOM). Maybe the investors approved or forced a reincorporation under another name. Maybe Handy bought the assets and is quickly trying to stem off churn. Or, yeah, maybe something unethical happened. Until we know what happened, though, it's all speculation.
Not everything legal is ethical, but in this case it seems more annoying than unethical. I hate cold outreach emails and my company doesn't send them, but concluding that YC doesn't care about being ethical because the former president of YC tweets about a company that sends cold outreach emails seems like a stretch.
You're right, I've veered some discussion away from the original topic, sorry. I wanted to focus more on YC's role in this, if any.
(As my final word on it however, Zenefits specifically was not sending "cold outreach emails", it was bona-fide spam. But, they're far from alone in this anyway, which was my main point.)
I guess we all have different views on ethics, maybe I'm just used to seeing spam and tossing it out. I find it harmless now because I'm so used to getting it...but its interesting to see how offended people get when they see unsolicited virtual mail which can be deleted with a click of a button.
I'm actually more concerned about the actual spam in my real world mailbox that USPS dumps 3 times a week, no opt-out button there.
Among my responsibilities is systems administration for hosted services for customers, including email. What is for you a minor nuisance is for me a major time-consuming headache. For instance, even with a top-of-the-line modern mail stack, including SpamAssassin and greylisting and so and so forth, enough spam was still getting through to customer inboxes that I've had to develop additional non-trivial software specifically for dealing with it.
I beat this drum occasionally because I don't want to have to pit my meager resources against the resources of someone like YCombinator who are willing to provide funding (and introductions to enormous amounts of even more funding) to companies that are OK with spamming.
And I'm not including B2B cold emails as "spam", even if they're written as a template, so long as there's an actual human behind them and they aren't being sent out en masse (for example, Locbox: https://news.ycombinator.com/item?id=4672162).
At this point I have been hearing this sorry excuse for twenty years. At least it once had the value of novelty.
Spam is illegal, so that's one good sign it might be unethical. About 90% of email is spam [1]; the reason you aren't spending all day "deleting with the click of a button" is that a lot of smart people and a lot of computing power are devoted to keeping most of that spam out of your inbox.
You should be thankful for the people who get offended about this stuff, because its only their reactions and their hard work that have kept email a usable medium.
hmm... There were some previous threads about Zenefits where pretty much everyone (customer base mostly) that came in contact with Zenefits was unhappy for one reason for other. This seems to be a bit of a trend for them. The fact a VC is happy with the company simply shows the difference in incentives between investors in a company vs outsiders.
I've seen that before, but it's essentially the opposite of disavowing isn't it? He's doing quite a bit of rationalizing and misdirecting in that post, IMO.
At the time, I remember being incredibly disappointed to see him hide behind the EULA and "This one seems a matter of opinion." That's why it came to mind immediately and I was curious if YC ever took a more respectable position in the interim.
"To maintain our community, if a founder behaves
unethically during or after YC, we will revoke their YC
founder status. This includes access to all Y Combinator
spaces, software, lists and events."
"We will stand behind you no matter how much your company
struggles, as long as you behave ethically."
Does YC officially offer any ethics training/mentoring?
It would be an interesting offering even if there isn't any weight behind it. Sometimes I think the message, "Hey, maybe we should all think about what we are doing and whether or not it is in the best interest of something besides our bottom line" isn't something that is brought up/told to a lot of founders. However, whether or not they listen is totally up to them and I am fine with that.
Well, given that the YC official stance on founders is that they should 'be a little naughty' and that they expect founds to not care 'about observing proprieties', I am not surprised that the founders would be a little shady when things aren't going well.
I'd like to see some kind of stronger YC influence on ethics in the companies they fund.
Great idea, maybe you should take that up with Paul "Morally, [the founders we want to fund] care about getting the big questions right, but not about observing proprieties. That's why I'd use the word naughty rather than evil." Graham.
I doubt that spam or cold emails are considered a major breach of ethics. We might as well start filing lawsuits against the thousands of startups that spam the crap out of my inbox everyday. To fix all of that I just have a really good spam filter.
as someone mentioned in the blog comment, Fly Maids site is a complete copy (with redesigned homepage) of another cleaning service http://www.homeaglow.com/
@johnsalzarulo out of curiosity, try if your login works on homeaglow.com
When I entered my email into homeaglow it didn't work. It said I had the wrong password. BUT when I entered in the password reset box I got a password reset email from support@flymaids.com. They are unmistakably connected somehow.
Perhaps homeaglow is just a prelaunch version of flymaids? Line maybe they were creating the brand around homeaglow, then switched at some point to flymaids and just never wound down the first site?
> In the USA/rest of the world (excluding the European Union), we are Fly Maids, Inc. (doing business as Fly Maids), a Delaware corporation with our head office at 2711 Centerville Road, Suite 400, Wilmington, New Castle County, Delaware 19808. In the European Union, we are Fly Maids Europe Limited, a company incorporated in England and Wales (registration number 8883585) with its registered office address at 14 Whittonditch Road, Ramsbury, Marlborough, Wiltshire, United Kingdom, SN8 2PY. We will refer to these companies together as "Fly Maids", "we", "us" and/or "our".
> In the USA/rest of the world (excluding the European Union), we are Homeaglow, Inc. (doing business as Homeaglow), a Delaware corporation with our head office at 2711 Centerville Road, Suite 400, Wilmington, New Castle County, Delaware 19808. In the European Union, we are Homeaglow Europe Limited, a company incorporated in England and Wales (registration number 8883585) with its registered office address at 14 Whittonditch Road, Ramsbury, Marlborough, Wiltshire, United Kingdom, SN8 2PY. We will refer to these companies together as "Homeaglow", "we", "us" and/or "our".
It also has the same address/registration number as the one in the privacy policy of http://cleanr.ca/
"a company incorporated in England and Wales (registration number 8883585) with its registered office address at 14 Whittonditch Road, Ramsbury, Marlborough, Wiltshire, United Kingdom, SN8 2PY."
Wild speculation: could they (Homejoy or whoever is liquidating them) be trying to salvage Homejoy's best markets by creating new cookie-cutter brands for each one and then trying to find a buyer?
Cleanr can't be "Homejoy Europe Limited", it could be a trading name of them, but in their terms Cleanr say:
>"These Terms of Service and any separate agreements whereby we provide you Services shall be governed by and construed in accordance with the laws of 112 Bagot St Toronto Guelph Canada m3k1v6." //
That's a pretty specific set of laws!! But it's not then the website of a UK company. FWIW in Europe legislation requires a business to have the business name and address for service on the website.
They also use a @gmail.com email address, which is low trust indicator for a business IMO.
Maidayy.com also appears to be the same - the privacy policy is almost an exact word-for-word copy of homeaglow etc, and the site design has a lot in common as well. However, it appears to have been registered as early as march?
Their privacy policy appears to be copy-pasted as well:
> we are Maidayy LLC (doing business as Maidayy), a Wisconsin company with our head office at ADDRESS, CITY, STATE USA
This is a total nitpick, but I was actually Homejoy's first engineer. I was fired after 4 days, and then they hired Dan to replace me. This has no relevance whatsoever, I just thought I'd clarify that one bit :)
Yep, also using the same Mixpanel ID and Google Analytics ID, which could be because of copying the entire thing, or because they're the same company, signs point to same company since they have assets with different company names in the same S3 bucket though!
It's not an uncommon practice to A/B test your branding, even your brand name. The other wesbite could be targeting a different market, different geography, etc.
The point is we just don't know at this point and perhaps we should refrain from doxxing the innocent until proven guilty.
Oh that's not shady at all. Assuming all this is legal (I doubt it, but hypothetically) how is this a good marketing tactic? Having all this info already stored comes off as way more creepy than convenient as evidenced by the author of the article. And yeah, I can't see this being legal in a thousand years.
> Having all this info already stored comes off as way more creepy than convenient as evidenced by the author of the article.
If you're used to thinking about this from our side of things, sure. For Random Person, they might think, "gee, this is neat! And they've already got my card number and everything!"
They probably just exported a database of credit card tokens into a PCI-compliant system (Stripe, Braintree or the like.) The motives and method are equally shitty, but at least get some solace in assuming that your credit card number is just not out in the open.
Now... how secure this transfer of tokens was, no idea. So there could be a DB dump somewhere with a token to my credit card, and anyone can use it to start charging from it. I'll keep an eye on my bills.
I don't think that rathboma was suggesting that you might get fraudulent changes on the card - but any other service that you use which currently has that card on record could now potentially be compromised by anyone who knows your name and has those 4 digits - many customer support systems only need that much to verify your identity and make changes to your account.
Doesn't matter, it's still confidential information that can be used to verify you or used to social engineer more information about you. "Hi sir, I'm calling in because I lost access to my account, I don't have my current card, but I do have the last 4 of my previous that I used on this service, will that be good enough?"
Like don't reveal unnecessary information if you don't have to. It's low effort, high risk.
>> It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud. <<
[Apple may have changed their policy meanwhile, but likely others did not]
Do all of the online services you use also no longer use the last four of that card for authentication purposes over the phone? For instance, you can sometimes use the last four of the card on a GoDaddy account to get a password reset over the phone.
Hrm I've never heard of this apart from automatic billing systems ability to request the new card number. Any more specific info about that? I'm interested in how this is possible.
I know that when I canceled my American Express card, they said that they would keep the account open for an X amount of time (I wanna say ~1 year), and I would be responsible for any charges during that period, and billed normally. However that was a case of canceling because I was just closing the account - not because of fraud... I assume they have different processes.
Biggest thing is that CC info still being on there. That is grossly irresponsible.
Not that I approve ripping people off, but hard to sympathize with Handy when Handy treats (treated?) its employees and workers poorly.
As for the whole transferring over of assets without any secure certs, that's pretty shady and/or lazy not doing that.
Cue someone from said company posting, "oh sorry we're not ready for public and that accidentally got sent" without mentioning why they even have the author's data or why the author's credit card data was apparently sold off.
I'm pretty sure I know what's going on. In order to pay off their debts, Homejoy must have sold user account information, including credit cards, to a bunch of local home cleaning businesses. A shit ton of them have been popping around over the past couple of years, modeled after the advice given in this subreddit: https://www.reddit.com/r/entrepreneurridealong
The difference with these local cleaning businesses is that they are developed and ran by amateurs, who often times copy each other (or the successful giants) down to the wording on the websites, with minor branding changes. They tend to be super low-budget, so Fly Maids probably paid some "web developer" $500 to develop their website and paid zero attention to security, PCI compliance, and so on. They then purchased a bunch of LA-based user accounts from the now-defunct Homejoy, who of course did not perform any due diligence.
Shitty situation to be sure. I definitely lost respect for the Homejoy founders, and will probably stay away from their next venture.
It makes sense in many cases: when, say, Verizon Wireless acquired Alltel, an Alltel customer who has automatic monthly billing set up shouldn't be required to re-set up billing with Verizon, simply because it's a new company.
It's not clear to me that the same intuition applies if the Alltel equivalent is shutting down because it was mismanaged, and the Verizon equivalent was created by one of the mismanagers and has no other assets, but it's hard for me to imagine there's a meaningful legal distinction.
Looking like they sold their customer data over to fly maids or whoever was behind them. Surprised they were able to actually transfer the CC info. When I was at a company that was selling off assets, the most we could do was give them customer email addresses. I have serious doubts about the legality of this.
I'm pretty sure them having the details Homejoy promised wouldn't be accessible is a much bigger deal, at least for me it is. If they have it, who else does?
Wow. Just wow. This is egregious. I would be incensed. I'm a 39 year old consultant that makes money from technology but I am starting to feel like I'm out of touch and old. This is not ok. If you fail, fail with class and dignity.
This site appears to be hosted on Heroku according to the DNS information.
www.flymaids.com. 3600 IN CNAME cleanerconnect.herokuapp.com.
cleanerconnect.herokuapp.com. 300 IN CNAME us-east-1-a.route.herokuapp.com.
us-east-1-a.route.herokuapp.com. 60 IN A 23.21.224.165
Would the author have a case for emailing Heroku's abuse address and asking them to look into it or would this fall outside their purview? My hypothesis is that they'd want to know if their services were being used in a fashion that was creepy (for lack of a better descriptor).
They may still be compliant and storing your credit card responsibly, I would assume they used Stripe or similar and they're only sending the last 4 digits back over standard http. If they're allowing you to add a new card, then there's an issue.
What is the full URL of the link in the email you received? You must save your login information in your browser, otherwise I assume you would have questioned how you logged into the site at all.
It could be a phishing scheme that attacked your saved login information then placed that on a dummy site in hopes that you may provide even more data.
EDIT: They could have sold / transferred user data... but I don't know how they would automatically authenticate you without using some previously stored data that you, maybe unknowingly, gave them access to.
One of the comments on the article itself mentioned css being served seemingly from www.homeaglow.com, which was weird to me. So I did some investigating. Looking at the DNS of both flymaids.com and homeaglow.com, they both point to separate IPs (184.168.221.1 and 184.168.221.13 respectively), but have an additional CNAME to http://cleanerconnect.herokuapp.com.
Looking at the error on the heroku page directly, and comparing everything from the license info, help console, website copy, it seems that they are all the same company, operating under different brandings.
The privacy agreements are what really get me though. Looks like they are identical, except the brand names:
And the two domains/common backend makes sense, if it is really just a CNAME you could detect what URL the user hits and plug in a few variables. The different IP addresses on the A record are what confuse me, but I don't know much about DNS configuration.
But yes, it seems that flymaids and homeaglow are the same company. And I don't think it's a stretch that homejoy was among those as well.
I'm surprised that BusinessInsider still doesn't have an article about this. Shame on you Business Insider! It's already been an hour! I expect a headline "How Homejoy came back from grave to haunt us"
"Homejoy, the dead cleaning startup that shuttered its doors in August, has apparently awoken from the grave to email its customers about a new partner" ==> I was so close!
The fact that I can still log in is scaring me, I never signed up for this and nor did I even get an email. My credit card details which are valid are still present.
I find it hard to believe this information was sold and if it was, were they storing credit card info in plain string format. Wouldn't each of those businesses need an encryption key to decrypt secure card numbers. Wonder if they sold that too. Either way props to John for posting this on Medium and of course Aloke on HN.
Third party processors will store the card info securely and then provide only parts of it back to you via an API call. Stripe's API includes the last 4 and expiration date, as you can see here[1], so Fly Maids may not have all of that data.
My old Homejoy login doesn't work on that site, and doing "forgot your password" gives an error of "user does not exist" for the email I used with Homejoy.
They're probably not porting over accounts by default, but rather waiting for users to express interest by clicking the link in the marketing email.
From the original post:
> Worst still, as I navigated around the site I realized the email link I clicked logged me into “My Account”. This screen had lots of my personal information, home address, email, even my credit card number.
So hold on... If we can work out how they encoded those activation URLs, or someone intercepts the email then they can get full access to anyone's account?
I have zero sympathy for HomeJoy. They failed, which is something I can gave sympathy for. But they sold all their customer's private data without notifying them of this fact, and caused major security concerns in the process!
We don't actually know what happened here. It could have been just one founder doing something shady; it could have been a hack; it could be something we can't imagine yet.
Let's not break out the pitchforks until we know who to point them at.
Actually, I'm breaking out the pitchforks. One of the requirements for PCI compliance is that you do NOT hold credit card data for any longer than absolutely required. Given HomeJoy was not doing any more billing of credit cards, these should have been removed from their system.
Their robots.txt [1] prevented archive.org's Wayback machine from crawling their Privacy Policy at https://www.homejoy.com/privacy
I would have assumed that I'd be notified if sensitive information on Homejoy was sold to a third-party or "partner", but I should have probably read their privacy policy more closely when the shutdown notice came out.
I read this whole page of comments (when it was at 105) and gk1's comment is the only one that comes even close to what I'd like to see here:
> You're underestimating how far people are willing to go to appear legit. Showing logos of companies who aren't your clients -- or of publications that never mentioned you -- is common. They know most people won't check to verify.
...Along those lines: has anybody considered the possibility that the whole thing is an elaborate phishing site?
Here's an avenue for investigation which seems to be unexplored here: has Flymaids hired any maids, or contracted with them, or however that works?
I am actually finding this intriguing and genuinely curious to know what is going on. One of the cofounders was a panelist at an event just one month before they announced their closure speaking about their growth and it didn't seem like anything was wrong (its on YouTube) so im curious to know what's up.
It must have been heavily flagged. It's been lower than it should have been from the start. Admittedly the title of the submission isn't great so - if I'm being charitable - it's because users flagged based on title only.
Yes. Right now this submission is 15 hours old, in position 25 with 1065 points and 313 comments. In position 24 is a submission from 15 hours ago with 131 points and 22 comments (https://news.ycombinator.com/item?id=10466678). In position 19 is a submission from 14 hours ago with 153 points and 70 comments (https://news.ycombinator.com/item?id=10467190). So it's not just because of exponential submission decay nor because of flamewar filtering.
Last evening GMT this submission was in fourth place when by points/comments/age it should have been first.
User flagging is the most charitable interpretation.
edit: now at position 54, 1078 points, 315 comments, 16 hours ago. At position 53 is a story from 17 hours ago, 69 points, 13 comments (https://news.ycombinator.com/item?id=10466419)
Looks like the domain was registered on Oct 8th and I can't find "Fly Maids" or similar names on the Delaware Division of Corporations. (Maybe it takes longer for it to show up?)
My point is: in any of the above cases it could be nearly impossible to figure out who is actually running this website. And failing to find a result in the Delaware Division of Corporations website really doesn't tell you much of anything.
And, as a relevant tangent: If you are really interested in finding out who owns/runs that website you could always sue Fly Maids. GoDaddy explicitly states in their Ts and Cs that they will give up owner information if there is a lawsuit brought against the owner...
As mentioned above, they don't exist or are lying. Likely the former. Their privacy page claims to give you exactly what to search for:
> In the USA/rest of the world (excluding the European Union), we are Fly Maids, Inc. (doing business as Fly Maids), a Delaware corporation with our head office at 2711 Centerville Road, Suite 400, Wilmington, New Castle County, Delaware 19808.
Looks like some big mistakes might have been made by the people over at FlyMaids. Despite all this I hope there are people close who are looking out for their wellbeing, and helping them fix the situation.
Strange, I had an account with Homejoy, yet I just tried to log into Fly Maids and it failed with no account. Furthermore, I tried using forgot password, and it leaked that no account exists with my e-mail.
That's a bit brazen to make those claims on the site. They can get into trouble for that and also ruin their own reputation. So I am thinking the site is a little joke? When you click on help and go to FAQs, it labels questions as "HOT".
You're underestimating how far people are willing to go to appear legit. Showing logos of companies who aren't your clients -- or of publications that never mentioned you -- is common. They know most people won't check to verify.
User of private data is really concerning. How easy someone can take liberty of using the private data for a ride :( When I read the post about someone go crazy to protect their data and communication, I feel they need to have little faith in fellow people. But this kind of instance move my confidence and make me think that we are racing against time and we will see more and more kind of this situations.
Really surprised to see this story, get so many votes. Yes, this guy did not act very properly, and seems like its a desperate act to salvage an old business. Admittedly the copying of UI CSS from a competitor was a clear wrong, but all the others passing on data, kind of like a grey area, Ok its wrong if I have to choose one option. But what the heck, cut him some slack, he has posted immediately with his real name. What do you want, shame him into killing himself? The insensitivity is simply shocking to me. You have acted as a lynch mob today (hiding behind the technicalities), I am sorry to say that.
I wish people wouldn't jump to conclusions with out all the facts. We don't know who bought what. Google has some of the team. Handy was in talks to by homejoy. who knows who else is involved. if handy bought the data they would have a right to their own copy.
I think it goes without saying that there is nothing remotely legitimate happening here. The fact that Aaron posted this comment and expected anybody to believe it is remarkable.
That being said, I spent 5 minutes researching Aaron Cheung and I was astonished by what I found. He has a Twitter account, but has posted exactly 0 times [1]. He has an HN account, but has posted exactly 0 times [2], and only commented twice (including today). He graduated from MIT in 2009 and this has seemingly been the only real job he's had for the past 5 years [3].
I think, from this perspective, I understand why Aaron is doing what he's doing. It doesn't make it right, not even close, but this person has lived and breathed the home cleaning space for his entire professional career. He may not have the slightest idea what else he could possibly do instead.
Edit: I'm certainly not claiming that people who are inactive on social media are bad people. But given the complete picture of what has been reported in the media, what was revealed today and the tone-deafness of his comment, I personally think this lack of engagement is part of the explanation.
What does it matter whether he twittered or hacker newsered? What a weird thing to bring up.
More importantly, this is gratuitously personal. Stalking expeditions are not welcome on Hacker News, whatever one's opinion of the story at hand. Please don't do this on this site.
>More importantly, this is gratuitously personal. Stalking expeditions are not welcome on Hacker News, whatever one's opinion of the story at hand. Please don't do this on this site.
I agree with your point that they are weird things to bring up, but how is that "stalking"? It's looking at 3 very public profile pages, which requires almost no effort to look at. Unless you've edited the post to remove information, that seems entirely benign. There's absolutely 0 expectation of privacy with those pages, and almost by definition were created to allow access for the general public to that information.
I meant it metaphorically, but yes I'm sure there are better ways of putting it.
Sure, it's public data, but so are lots of things. When you search them out and compile them, you create something different than the scattered pieces. To do that and use it to attack somebody, or insinuate about them personally, crosses a line we shouldn't cross here.
I suspect crabasa meant no harm, was just being curious and participating in the discussion, but in these cases the group dynamic tends quickly to get a lot uglier than the sum of our individual motives.
That was my first thought. Company facing impending doom? Do a runner with the assets, wait for the dust to settle, and try again with a different name and logo.
But that's something the CEO did instead. In many ways, Adora represented the Homejoy brand, and if people saw other founders they wouldn't get as much attention. It made sense for them to have one person be the voice.
Not everyone that's a founder has to be in front of people (literally or virtually).
> He graduated from MIT in 2009 ... he may not have the slightest idea what else he could possibly do instead.
There's endless ways we could speculate about why he's doing what he's doing, but is being six years out of school one of them?
He spent "his entire professional career" (5 years!!!) in home cleaning. And before that it looks like he spent four years at MIT majoring in chemical engineering.
No offence, but don't become a detective, and decline any jury service. A lot of people use pseudonyms.
There's a multitude of good reasons why this poster didn't want to use his real name. In all honestly, if I was hiring, or deciding to do business with an individual, if they used their real name, and had a plethora of comments on Twitter; I don't think I would hire, nor trust that individual with information.
(To the HN community. Does HN offer a way to delete comments? I just assumed they did? Maybe they don't? I do know I can delete briefly after I make a comment, but that privilege dies pretty quick. Why?)
I don't think his comment was "tone deaf" as much as it was trying to change the tone of the conversation.
It looks to me as though Homejoy & Fly Maids have done a terrible job of communicating this, but it seems legitimate to me. When companies get acquired, customers have always come along for the ride. In fact, that's often the main thing that companies get acquired for. Facebook could've built a Whatsapp clone, but the billions of dollars of value was the user base. In this case, it's a bit less usual since just the customer data has been acquired.
Let's not go overboard. Hopefully, they learn from this an stop letting in "useless" Facebook for X startups. Or at least have a more rigorous interview process.
We recently acquired the customer and service provider data from Homejoy.
We're a small team that has been focused on moving quickly while bootstraping. We tried to quickly test different approaches, but we realize now that we did so in an unclear manner. We recognize the need to use the data we acquired responsibily. As a result, we're taking the site down, and we're going to do a better job with our testing moving forward.