[chris_wot]

So hold on... If we can work out how they encoded those activation URLs, or someone intercepts the email then they can get full access to anyone's account?

I have zero sympathy for HomeJoy. They failed, which is something I can gave sympathy for. But they sold all their customer's private data without notifying them of this fact, and caused major security concerns in the process!

[pavel_lishin]

We don't actually know what happened here. It could have been just one founder doing something shady; it could have been a hack; it could be something we can't imagine yet.

Let's not break out the pitchforks until we know who to point them at.

[chris_wot]

Actually, I'm breaking out the pitchforks. One of the requirements for PCI compliance is that you do NOT hold credit card data for any longer than absolutely required. Given HomeJoy was not doing any more billing of credit cards, these should have been removed from their system.