BLASTCHAT UPDATE: SECURITY MATTERS!
Quick recap on how we got here:
In 2014, I had just ended a startup called Jooke with some friends from China. They were all Android developers and I felt bad knowing that I couldn’t code so I start teaching myself how to develop in Xcode. We eventually called it quits after a few months but during that time I had discovered the messaging app WeChat. It was our main source of communication between the team. A few weeks after we stopped working on Jooke I woke up one Saturday morning with a desire to play tennis. So I went to Facebook and Twitter to see if anyone at Dartmouth wanted to play. No one replied to my tweets and post. That’s when I came across the startling statistic from Buffer which suggested that less than 3% of post and tweets are seen on average on both Facebook and Twitter. Then I thought; what if I could create an app that could blast out one message to groups of people, they all would receive silent push notifications and when they reply, they would chat with me and me only. Think BCC on email but for mobile. I came up with the name Blastchat. Using Apple’s native API’s I built the first version of Blastchat. You could send one line of text (20 characters) to members of your contact list who had the app via push notification and when they reply, they would reply to the sender only via iMessage. So the conversation would start in Blastchat and continue individually in Apple’s native text messaging app. And since then I’ve been obsessed with building WeChat for the West. And today 65% of messages are seen on Blastchat in comparison to 3% on Facebook and Twitter. And we truly believe that we can get this number higher.
Back then I had 10 friends using the app and they all requested new features but my only resources for learning were Youtube and several banned Stack Overflow accounts. So one day I went to Instagram and took a picture of my code using the hashtag #programmingproblems. Nitin Gohel, all the way in India replied; “Don’t worry bro. It’s going to be ok.” I direct messaged him and that’s when I started a friendship with one of the closest people in my life. The next day we spoke on Skype for 4 hours. The next week I was paying him $40 a week to tutor me in Objective C and Xcode. Then I realized the one thing I hated more than programming was learning how to program so I asked him if I could pay him to build new features and fix bugs whenever I got some money. With this freedom I spent the next four years of my life begging users to try the app and give me feedback. Today Nitin is the person I speak to the most in my life.
I was a product guy pretending to be a developer and Nitin and his best friend Hardik were iOS and Android developers. None of us had no idea about backend development. Then luck struck when Facebook was giving out $5,000 credits to Parse. We applied and we launched Blastchat to the public. You can check us out here on Product Hunt: https://www.producthunt.com/posts/blastchat
We used Parse for a while before Facebook announced that they were shutting it down. We then needed a new backend so I found someone to build us a quick one for cheap and we hosted it in India at Nitin’s house. This gave me time to continue to build, test and learn. Then we got lucky again when we were rewarded $5,000 in AWS credit (which expires in November). But again we needed to find someone to build our backend for AWS. Unfortunately, I was so obsessed with the product and talking to users I didn’t pay any attention to how the backend was built nor did I understand any rules of building a backend. Although, I had one rule. I didn’t want to behave like this:
As many of you know by now, we were recently selected into the developer program ran by the Kin Foundation. And a couple of days ago we received a message from one of our cohort members from the Kinnytips team saying that there were flaws in our server. He told me that he had hacked into our server and he had access to our users data. He then started using words I had never heard before. He told us he was reporting us to the Kin Foundation and that he was writing an article about us. My gut went missing. I was so scared and I panicked. I immediately went to AWS and terminated our only instance. Then I went to Apple and Google Play and took both apps down. I’ve spent the last four years building this product and it seemed like it was all over. At the time we had about 1,700 users and what’s more impressive than that is the fact that 60% of them were active monthly and they were opening the app 14 times a day on average. These numbers are higher than Facebook, Instagram, and Twitter. We have built one of the most complex and efficient push notification systems online. And we created one of the most effective, efficient, and authentic ways to communicate in the history of this world. And it was all over because I didn’t pay attention to how our backend was set up. It was all my fault and users started emailing, texting, and calling me asking me what happened and all I could say was “we were hacked but the good news is that all of your data is officially gone and deleted from our servers forever” (because I terminated our only instance). Our community was so strong that one of our users in North Carolina started a group chat with 20 other members from Blastchat to give us updates on the hurricane that is passing through her area. I received the latest update just 2 minutes ago. This could have been such an easier process for her if Blastchat were still up and running. And this was all my fault. It sucks because we built Blastchat to eliminate weird group chats like this where 20 different people, in one group chat, may not know each other.
Eager to learn what had happened I spent most of my day at Amazon where I learned where we went wrong.
Here is the architecture that we had which was hacked:
We have learned that this architecture is wrong and we are in the process of updating our backend and will be ready to present at demo day on October 15.
As we prepare to implement KIN into our app, we have decided to offer much of the 25 Million Kin we will received from the KIN Foundation to anyone who can help us do two things:
- Keep Blastchat secure. We are mainly looking for advisors.
- Help us reach our milestone of 10,000 monthly active wallets.
Our current team is comprised of people from New York, North Carolina, India, Uruguay, and Chicago. So it doesn’t matter where you are from or what your sexual orientation, race, or personal background is. Our company motto is “Yes, diversity exists!”. The only thing we require is that you truly believe we can create the most effective, efficient and authentic communication platform in human history! As far as your data is concerned everything has been deleted and we are starting fresh with zero users on October 2nd. The only evidence we have that someone has your data is members of the Kinnytips team who sent us screenshots of someone’s data from the KIN team. We since spoke to that person on the KIN team and got everything handled. Sorry for this inconvenience and we will be be better!
Also, I hope many of us can stay focused on what the larger picture is. We are currently in the 1st inning of a potential 9th or even 16th inning game. This is going to be a slugfest and I think we are better together than we are separate. So thanks to the many people who have reached out offering support during these troubling times. It really meant a ton and it kept us in high spirits! As we and the KIN Foundation try to literally change the world, there may be many bumps in the road because there is no playbook on how to do any of this. We are all learning as we go.
Also, a special shout out to Aaron from the Amazon team. Before I even showed him the article he had said it had appeared on one of his social feeds and he had read it. So he was eager to help us and we learned a ton! Those are some great people at Amazon!
If there is anyone interested in joining the Blastchat team or helping us with our infrastructure or growth you can reach me at: email@example.com. Also, send us your email so we can alert you when we release.
And to be alerted when we launch our next update with the KIN token implemented follow us on Twitter: @joinblastchat
Lastly, here is a lesson to all young startups out there. Pay attention to security earlier in your development days even when your resources are limited. You never know who is looking at your data. Let this be a lesson for you all!
Jhamar from Blastchat!