I'm one of the founders of Homejoy. I'm still very passionate about the home service space. After leaving Homejoy, I started FlyMaids, where we're exploring a few different angles on the space.<p>We recently acquired the customer and service provider data from Homejoy.<p>We're a small team that has been focused on moving quickly while bootstraping. We tried to quickly test different approaches, but we realize now that we did so in an unclear manner. We recognize the need to use the data we acquired responsibily. As a result, we're taking the site down, and we're going to do a better job with our testing moving forward.
Digging into trademarks, incorporations and S-1's is a weird little obsession of mine..<p>That said, my initial findings are that Flymaids is directly related to Homejoy. Under Privacy link of Flymaids it states "In the European Union, we are Fly Maids Europe Limited, a company incorporated in England and Wales (registration number 8883585) with its registered office address at 14 Whittonditch Road, Ramsbury, Marlborough, Wiltshire, United Kingdom, SN8 2PY."<p>If you lookup the registration number at Wales Companies House, it shows owner as "HOMEJOY EUROPE LIMITED"<p><a href="https://beta.companieshouse.gov.uk/company/08883585" rel="nofollow">https://beta.companieshouse.gov.uk/company/08883585</a><p>FWIW, they changed their registered address on 8/7/15, ten days short of their announcing to cease operations: <a href="http://bit.ly/1kbHtyJ" rel="nofollow">http://bit.ly/1kbHtyJ</a>
Everyone is assuming that the founders sold the company data to Fly Maids, a brand-new company nobody has ever heard of before.<p>It's also possible one of the founders just spun up the new service themselves and copied over all of the customer records. If so, they may want to prepare to be sued by their previous investors.<p>It's one thing to fail after giving it the good ol' college try, but it's another entirely to strip the copper out of the walls on your way out.<p>Speculation aside, they should put out a statement to clarify the relationship between the companies and what's going on with their customers' data.
What's the big deal? Homejoy is just hacking startup downfunding... (/s)<p>I'd like to see some kind of stronger YC influence on ethics in the companies they fund. I realize that YC doesn't have any direct control over the companies, but it could be as simple as including good ethics in the traits they look for in startup founders.<p>A while back I started compiling a list of YC companies that spammed or otherwise behaved badly. It quickly got back-burnered by other projects, but there was AirBnB from W09, InstallMonetizer and SocialCam from W12, Zenefits from W13, Abacus and GetAirHelp from W14, Gradberry and OmniRef from W15 ... while so far it looks like the majority of YC startups are well-behaved, the trend was looking like there's a few in every batch that are willing to do shady things to meet their growth metrics.<p>Or, in Homejoy's case, maybe make a little more money while winding down.
as someone mentioned in the blog comment, Fly Maids site is a complete copy (with redesigned homepage) of another cleaning service <a href="http://www.homeaglow.com/" rel="nofollow">http://www.homeaglow.com/</a><p>@johnsalzarulo out of curiosity, try if your login works on homeaglow.com<p>f.e.: both logos are served from the same S3 bucket:
<a href="https://s3q1w2e3.s3.amazonaws.com/brands/logos/fly_maids.png" rel="nofollow">https://s3q1w2e3.s3.amazonaws.com/brands/logos/fly_maids.png</a>
<a href="https://s3q1w2e3.s3.amazonaws.com/brands/logos/homeaglow.png" rel="nofollow">https://s3q1w2e3.s3.amazonaws.com/brands/logos/homeaglow.png</a>
Oh that's not shady at all. Assuming all this is legal (I doubt it, but hypothetically) how is this a good marketing tactic? Having all this info already stored comes off as way more creepy than convenient as evidenced by the author of the article. And yeah, I can't see this being legal in a thousand years.
From what I gather from the other comments, it looks like most likely Homejoy's liquidator (Nortonsgroup) has sold Homejoy's user data to Homeaglow.<p>Homeaglow copied and rebranded their own tech as Fly Maids to service this user list.
Biggest thing is that CC info still being on there. That is grossly irresponsible.<p>Not that I approve ripping people off, but hard to sympathize with Handy when Handy treats (treated?) its employees and workers poorly.<p>As for the whole transferring over of assets without any secure certs, that's pretty shady and/or lazy not doing that.<p>Cue someone from said company posting, "oh sorry we're not ready for public and that accidentally got sent" without mentioning why they even have the author's data or why the author's credit card data was apparently sold off.
I'm pretty sure I know what's going on. In order to pay off their debts, Homejoy must have sold user account information, including credit cards, to a bunch of local home cleaning businesses. A shit ton of them have been popping around over the past couple of years, modeled after the advice given in this subreddit: <a href="https://www.reddit.com/r/entrepreneurridealong" rel="nofollow">https://www.reddit.com/r/entrepreneurridealong</a><p>The difference with these local cleaning businesses is that they are developed and ran by amateurs, who often times copy each other (or the successful giants) down to the wording on the websites, with minor branding changes. They tend to be super low-budget, so Fly Maids probably paid some "web developer" $500 to develop their website and paid zero attention to security, PCI compliance, and so on. They then purchased a bunch of LA-based user accounts from the now-defunct Homejoy, who of course did not perform any due diligence.<p>Shitty situation to be sure. I definitely lost respect for the Homejoy founders, and will probably stay away from their next venture.
Looking like they sold their customer data over to fly maids or whoever was behind them. Surprised they were able to actually transfer the CC info. When I was at a company that was selling off assets, the most we could do was give them customer email addresses. I have serious doubts about the legality of this.
Wow. Just wow. This is egregious. I would be incensed. I'm a 39 year old consultant that makes money from technology but I am starting to feel like I'm out of touch and old. This is not ok. If you fail, fail with class and dignity.
This site appears to be hosted on Heroku according to the DNS information.<p><pre><code> www.flymaids.com. 3600 IN CNAME cleanerconnect.herokuapp.com.
cleanerconnect.herokuapp.com. 300 IN CNAME us-east-1-a.route.herokuapp.com.
us-east-1-a.route.herokuapp.com. 60 IN A 23.21.224.165
</code></pre>
Would the author have a case for emailing Heroku's abuse address and asking them to look into it or would this fall outside their purview? My hypothesis is that they'd want to know if their services were being used in a fashion that was creepy (for lack of a better descriptor).
They may still be compliant and storing your credit card responsibly, I would assume they used Stripe or similar and they're only sending the last 4 digits back over standard http. If they're allowing you to add a new card, then there's an issue.
What is the full URL of the link in the email you received? You must save your login information in your browser, otherwise I assume you would have questioned how you logged into the site at all.<p>It could be a phishing scheme that attacked your saved login information then placed that on a dummy site in hopes that you may provide even more data.<p>EDIT: They could have sold / transferred user data... but I don't know how they would automatically authenticate you without using some previously stored data that you, maybe unknowingly, gave them access to.
One of the comments on the article itself mentioned css being served seemingly from www.homeaglow.com, which was weird to me. So I did some investigating. Looking at the DNS of both flymaids.com and homeaglow.com, they both point to separate IPs (184.168.221.1 and 184.168.221.13 respectively), but have an additional CNAME to <a href="http://cleanerconnect.herokuapp.com" rel="nofollow">http://cleanerconnect.herokuapp.com</a>.<p>Looking at the error on the heroku page directly, and comparing everything from the license info, help console, website copy, it seems that they are all the same company, operating under different brandings.<p>The privacy agreements are what really get me though. Looks like they are identical, except the brand names:<p><a href="http://www.homeaglow.com/privacy" rel="nofollow">http://www.homeaglow.com/privacy</a><p><a href="http://www.flymaids.com/privacy" rel="nofollow">http://www.flymaids.com/privacy</a><p>And if you go to <a href="http://cleanerconnect.herokuapp.com" rel="nofollow">http://cleanerconnect.herokuapp.com</a> and inspect the broken icon, you get "<a href="https://s3q1w2e3.s3.amazonaws.com/brands/logos/"" rel="nofollow">https://s3q1w2e3.s3.amazonaws.com/brands/logos/"</a>.
Looking at the two sites' logos gets you the same URL, with an actual filename:<p><a href="https://s3q1w2e3.s3.amazonaws.com/brands/logos/fly_maids.png" rel="nofollow">https://s3q1w2e3.s3.amazonaws.com/brands/logos/fly_maids.png</a><p><a href="https://s3q1w2e3.s3.amazonaws.com/brands/logos/homeaglow.png" rel="nofollow">https://s3q1w2e3.s3.amazonaws.com/brands/logos/homeaglow.png</a><p>And the two domains/common backend makes sense, if it is really just a CNAME you could detect what URL the user hits and plug in a few variables. The different IP addresses on the A record are what confuse me, but I don't know much about DNS configuration.<p>But yes, it seems that flymaids and homeaglow are the same company. And I don't think it's a stretch that homejoy was among those as well.
I'm surprised that BusinessInsider still doesn't have an article about this. Shame on you Business Insider! It's already been an hour! I expect a headline "How Homejoy came back from grave to haunt us"
Whomever is responsible for this should be blacklisted from receiving funding in the future.<p>This is a really scummy move, and the person behind it should be publicly humiliated so that they understand the error of their ways.
The fact that I can still log in is scaring me, I never signed up for this and nor did I even get an email. My credit card details which are valid are still present.<p>I find it hard to believe this information was sold and if it was, were they storing credit card info in plain string format. Wouldn't each of those businesses need an encryption key to decrypt secure card numbers. Wonder if they sold that too. Either way props to John for posting this on Medium and of course Aloke on HN.
The business number referenced on the privacy page is registered to "HOMEJOY EUROPE LIMITED"<p><a href="https://beta.companieshouse.gov.uk/company/08883585" rel="nofollow">https://beta.companieshouse.gov.uk/company/08883585</a>
I tried to book an appointment with a bogus email and got a 500.<p>The logo image was broken and I noticed an interesting path when viewing it's `src` attribute:<p><pre><code> https://s3q1w2e3.s3.amazonaws.com/brands/logos/
</code></pre>
I wonder if this is a template theme or perhaps some sort of parent company that has many brands.
My old Homejoy login doesn't work on that site, and doing "forgot your password" gives an error of "user does not exist" for the email I used with Homejoy.
So, it looks like there is 3 distinct yet related sites that we have been able to dig up.<p><a href="http://www.flymaids.com/" rel="nofollow">http://www.flymaids.com/</a>
<a href="http://cleanr.ca/" rel="nofollow">http://cleanr.ca/</a>
<a href="http://www.homeaglow.com/" rel="nofollow">http://www.homeaglow.com/</a><p>My hunch is that there is more. They all seem to share a lot in common.<p>Credit for digging these up:
<a href="https://medium.com/@bradbatt/their-css-references-brands-homeaglow-css-styles-css-a411975a2423#.cpqo73c3e" rel="nofollow">https://medium.com/@bradbatt/their-css-references-brands-hom...</a>
<a href="https://news.ycombinator.com/threads?id=phonon" rel="nofollow">https://news.ycombinator.com/threads?id=phonon</a>
Their robots.txt [1] prevented archive.org's Wayback machine from crawling their Privacy Policy at <a href="https://www.homejoy.com/privacy" rel="nofollow">https://www.homejoy.com/privacy</a><p>I would have assumed that I'd be notified if sensitive information on Homejoy was sold to a third-party or "partner", but I should have probably read their privacy policy more closely when the shutdown notice came out.<p>[1] <a href="https://web.archive.org/web/20151023153644/https://homejoy.com/robots.txt" rel="nofollow">https://web.archive.org/web/20151023153644/https://homejoy.c...</a>
I read this whole page of comments (when it was at 105) and gk1's comment is the only one that comes even close to what I'd like to see here:<p>> You're underestimating how far people are willing to go to appear legit. Showing logos of companies who aren't your clients -- or of publications that never mentioned you -- is common. They know most people won't check to verify.<p>...Along those lines: has anybody considered the possibility that the whole thing is an elaborate phishing site?<p>Here's an avenue for investigation which seems to be unexplored here: has Flymaids hired any maids, or contracted with them, or however that works?
Judging by the Olark (site chat) account being used, Flymaids.com is run by Homeaglow.com.<p>Edit: Which is also the same account used on cleanerconnect.com.
Apart from everything else in the OP; from the email he received:<p>> I wanted to reach out personally [...]<p>So personally is going the way of literally, which literally does or does not mean <i>literally</i> [1].<p>[1] <a href="http://dictionary.reference.com/browse/literally" rel="nofollow">http://dictionary.reference.com/browse/literally</a>
Looks like the domain was registered on Oct 8th and I can't find "Fly Maids" or similar names on the Delaware Division of Corporations. (Maybe it takes longer for it to show up?)<p>Either way super weird and creepy.
Looks like some big mistakes might have been made by the people over at FlyMaids. Despite all this I hope there are people close who are looking out for their wellbeing, and helping them fix the situation.
Strange, I had an account with Homejoy, yet I just tried to log into Fly Maids and it failed with no account. Furthermore, I tried using forgot password, and it leaked that no account exists with my e-mail.
Am I the only one that doesn't see any archive on <a href="https://archive.org/web/" rel="nofollow">https://archive.org/web/</a>?
Yeah, it looks the same with little tweaks. My question is did those magazines feature flymaids as they are stating?<p>EDIT: The site looks the same and that is a clear fraud hence my question.
Really surprised to see this story, get so many votes. Yes, this guy did not act very properly, and seems like its a desperate act to salvage an old business. Admittedly the copying of UI CSS from a competitor was a clear wrong, but all the others passing on data, kind of like a grey area, Ok its wrong if I have to choose one option. But what the heck, cut him some slack, he has posted immediately with his real name. What do you want, shame him into killing himself? The insensitivity is simply shocking to me. You have acted as a lynch mob today (hiding behind the technicalities), I am sorry to say that.
Current contents of "flymaids.com" is a 404 page:<p>Heroku | No such app<p>There is no app configured at that hostname.
Perhaps the app owner has renamed it, or you mistyped the URL.<p>Hosting appears to be by GoDaddy.
This article here says. It was customer retention problem.
<a href="http://www.forbes.com/sites/ellenhuet/2015/07/23/what-really-killed-homejoy-it-couldnt-hold-onto-its-customers/" rel="nofollow">http://www.forbes.com/sites/ellenhuet/2015/07/23/what-really...</a>
I wish people wouldn't jump to conclusions with out all the facts. We don't know who bought what. Google has some of the team. Handy was in talks to by homejoy. who knows who else is involved. if handy bought the data they would have a right to their own copy.
I think it goes without saying that there is nothing remotely legitimate happening here. The fact that Aaron posted this comment and expected anybody to believe it is remarkable.<p>That being said, I spent 5 minutes researching Aaron Cheung and I was astonished by what I found. He has a Twitter account, but has posted exactly 0 times [1]. He has an HN account, but has posted exactly 0 times [2], and only commented twice (including today). He graduated from MIT in 2009 and this has seemingly been the only real job he's had for the past 5 years [3].<p>I think, from this perspective, I understand why Aaron is doing what he's doing. It doesn't make it right, not even close, but this person has lived and breathed the home cleaning space for his entire professional career. He may not have the slightest idea what else he could possibly do instead.<p><pre><code> [1]: https://twitter.com/aarontcheung
[2]: https://news.ycombinator.com/submitted?id=aarontcheung
[3]: https://www.linkedin.com/in/aarontcheung
</code></pre>
Edit: I'm certainly not claiming that people who are inactive on social media are bad people. But given the complete picture of what has been reported in the media, what was revealed today and the tone-deafness of his comment, I <i>personally</i> think this lack of engagement is part of the explanation.