Lesson learnt. Thankfully, the easy way.
As I was leaving Bahrain Tech Week’s awesome event, I glimpsed a small group of the organizers on the side so I went to say hi. I thanked each one of them for what he/she was doing: “Thank you for the coverage!” “Thank you for MCing” “Thank you for the support!” until I reached the last person whom I didn’t know [and wasn’t an organizer], so I said jokingly “Thank you for existing!”. He chuckled and took it with good sports.
Two days later, I get a WhatsApp message from a number I don’t know saying “Hey”. I ignored it, until about half an hour later, I get 2 more messages saying “I have an issue to discuss with you” “Do you remember me?”
Well, shit. At this moment, I had 2 thoughts in my head:
- I hope he wasn’t offended by thanking him to exist
- Well, shit.
I thanked him for getting in touch and said I’m very curious to know what he found!
He sent me a screenshot of my account info on our database and said “That’s how I got your phone number”
– “Jees. All of it?”
– “I believe so. You have like X k users, that’s impressive 😄”
I was communicating this on Slack with our development team in parallel. How the heck could such thing slide without us noticing?!
The team got on it immediately although it was a weekend night. We found the loophole and fixed it within 2 hours. It was a silly issue that was long forgotten, but it got us to rethink everything.
We set up a whole week to revise our security, backups, optimization, and audit. We also hired the guy for a full system penetration as a freelancer, and I’m helping put him in front of other startups to monetize his skills the same way.
Startups often overlook their security -among other things- in the pursuit of growth, and we’re guilty of the same. In essence, I highly support that decision because that should always be your #1 priority as a startup. However, I now am certain that it’s very wise to spend a week per quarter to revise everything security related. There’s no point of building an amazing product and user base if it can be wiped off, hurt, or cloned very easily. In our development team’s defense, they’ve been asking for that week but I swamped them with tasks, bug fixes, and feature enhancements for a long time.
- Don’t neglect your security.
- Be nice to strangers in tech events.