We were lucky enough to get hacked at an early stage and the issue has been fixed.
We are also lucky because this hack and security breach is really highlighting what Yo is, and what we are all about.
What do I mean? Well…
The object of the app is to be simple. When you join it doesn’t ask you for your email, full name, Facebook account, or any other piece of personal information. The only identity within the Yo app is your username. We don’t want or need any other personal information. We want you to be able to give out your Yo username to anyone or any service without being afraid of suddenly getting a spammy email or a text message.
The FIND FRIENDS feature -
If you haven’t used the FIND FRIENDS feature, the only piece of information that was leaked was your Yo username.
The optional feature of FIND FRIENDS uses your phone number to let you know who of your friends are using Yo. I want to make it clear that your contacts (from your phone’s address book) are never stored in the database, and were never leaked because we simply don’t store them.
If you have used the “FIND FRIENDS” feature (before the breach was fixed), your phone number was exposed together with your Yo username (again, not with your full name, not with your email, only a Yo username and a phone number).
So, what really happened?
Thursday night I’ve received a text message from an unknown number, asking “Is this the founder of Yo?”
I responded Yes and immediately got blasted by Yos, followed by an alert that popped in my app saying YoBeenHacked.
We logged on to our back-end and immediately started investigating. Our initial findings were on the spoofed Yos and showing the custom alert. We instantly closed these holes, but there was another issue to follow. I’ve called the number from the text message and spoke with the hacker, which was actually helpful and emailed me with the details of the attack.
The issue that followed was that our database had an open access from the app itself, a fact that allowed any malicious party to read the user information.
Once we learned about this issue we’ve assembled a team of engineers with the hosting company, and began solving it. Once the issue was resolved (yesterday noon), we contacted the hackers and verified verified that the problems had been fixed. One of them is actually now working with us on improving Yo experience in other aspects as well.
Yo started as a weekend project and exploded a little too soon. We were just finishing up re-writing the infrastructure in a proper and secure way, as suitable for production grade apps, when it suddenly blew up and went viral.
Yo is a simple app - your privacy isn’t. We take your privacy very seriously, we apologize from the bottom of our hearts, and if you have any more questions regarding these issues you can contact me directly: firstname.lastname@example.org