Our initial findings were on the spoofed Yos and showing the custom alert. We instantly closed these holes, but there was another issue to follow. I’ve called the number from the text message and spoke with the hacker, which was actually helpful and emailed me with the details of the attack. The issue that followed was that our database had an open access from the app itself, a fact that allowed any malicious party to read the user information.
Abel said that issue was resolved Friday around noon, and the developers worked with one of the hackers to verify it had been fixed. He said engineers and one of the hackers are working on ways to make the app more secure. He also noted that the hackers got users’ phone numbers because the app gives users the option to find friends in their phone’s contact lists. He said Yo doesn’t store any information from users’ contacts. Abel also explained that Yo doesn’t ask users for much personal information: