Yo Hacked, Hires Hacker


The ultra-simple "zero character communication" app Yo, which only allows users to send the word "Yo" to each other, was hacked last week by three Georgia Tech students -- and the company has responded by hiring one of them.

As one of the unidentified students explained to TechCrunch at the time, "We can get any Yo user’s phone number (I actually texted the founder, and he called me back.) We can spoof Yos from any users, and we can spam any user with as many Yos as we want. We could also send any Yo user a push notification with any text we want (though we decided not to do that.)”

In a blog post, company founder Or Arbel wrote, "Thursday night [I] received a text message from an unknown number, asking 'Is this the founder of Yo?' I responded Yes and immediately got blasted by Yos, followed by an alert that popped in my app saying YoBeenHacked."

Arbel called the number from the text message and spoke with the hacker, who helpfully provided him with details of the vulnerability. "The issue that followed was that our database had an open access from the app itself, a fact that allowed any malicious party to read the user information. Once we learned about this issue [we] assembled a team of engineers with the hosting company, and began solving it."

Still, Arbel wrote, the breach has highlighted the app's simplicity -- the app doesn't store any information other than your Yo username, so the impact of the breach was extremely limited. If a user leveraged the optional "Find Friends" feature, their phone number would have been exposed as well.

Once the issue was resolved on June 20, 2014, the company checked with the hackers to verify that the problems had been fixed. "One of them is actually now working with us on improving Yo experience in other aspects as well," Arbel added.

What happened to Yo, Arbel noted, was pretty simple. "Yo started as a weekend project and exploded a little too soon," he wrote. "We were just finishing up re-writing the infrastructure in a proper and secure way, as suitable for production grade apps, when it suddenly blew up and went viral."

So is a breach like this a death knell for a startup that just raised $1 million, or is it the best publicity the company could have gotten?

Forbes' Gene Marks suggests it's bad news. As the members of his family began receiving dozens of unsolicited "Yos" from fake users, he writes, the application quickly became an annoyance and got deleted -- and he expects that the same thing happened in thousands of households worldwide.

On the other hand, as the Guardian notes, the app has exploded in popularity since the breach. It's now the ninth most popular free app on iTunes, and Arbel reported than 4 million Yos were sent as of June 19.

In this case, it seems, there's no such thing as bad publicity.