The app only launched and hit that point of saturation where everyone is yakking about something for at least 48 hours straight recently, so the news that it’d been hacked spread quickly. And it was all for the best, founder Or Arbel wrote on Medium on Saturday (via the WSJ blog Digits). By June 22, it had 1 million users.
“We were lucky enough to get hacked at an early stage and the issue has been fixed,” he explained, because the whole thing shows how Yo is super simple and there’s basically nothing to be hacked, anyway.
“When you join it doesn’t ask you for your email, full name, Facebook account, or any other piece of personal information. The only identity within the Yo app is your username,” he adds.
The one exception — if users opt in to the “find friends” feature, which uses phone numbers to connect you to your real life pals.
So if you don’t use that feature, your username was the only thing that was compromised, he says. And your list of contacts is also safe, because those aren’t saved or stored by Yo.
But if you have used that feature — “your phone number was exposed together with your Yo username (again, not with your full name, not with your email, only a Yo username and a phone number).”
There’s also some more information about what exactly happened, with Arbel outlining the timeline of last week’s hack: He got a text message asking if he was the founder of Yo, to which he replied yes to — even though it was an unknown number. Red flag, it would seem. That triggered a blast of Yos and an alert saying “YoBeenHacked” in his app.
“We logged on to our back-end and immediately started investigating. Our initial findings were on the spoofed Yos and showing the custom alert,” Arbel writes. “We instantly closed these holes, but there was another issue to follow.”
Then he actually called the number from the texter and spoke to the hacker and had a productive conversation with emailed details of the attack.
Georgia Tech Students had claimed last week to have hacked Yo, not to do harm but to simply show that it could be done.
Yo and the hackers worked things out eventually, resolving the issue on Friday and verifying with the hackers that everything was righty tighty.
“One of them is actually now working with us on improving Yo experience in other aspects as well,” he adds.
He admits that things might’ve gone a bit too fast in the early stages, but heck, don’t we all move too fast, too soon in life? Tell it like it is.
“Yo started as a weekend project and exploded a little too soon,” he confesses. “We were just finishing up re-writing the infrastructure in a proper and secure way, as suitable for production grade apps, when it suddenly blew up and went viral.”
So annoying when you go viral too soon. So annoying.
Anyway, Arbel is really sorry this had to happen.
“We take your privacy very seriously, we apologize from the bottom of our hearts, and if you have any more questions regarding these issues you can contact me directly: firstname.lastname@example.org.”
We were lucky enough to get hacked [@YoApp on Medium]