Buyer Beware: Topify Turns Down Offer to Acquire Twimailer
A few weeks ago, we wrote about Twimailer, a third-party Twitter tool similar to Topify, that aims to make Twitter's email notifications more useful. Now, however, we read that Twimailer was quietly sold and acquired early last month, and that the current owner is already trying to sell the service. According to Topify's Arik Fraimovich and Ouriel Ohayon, the new owner approached Topify, but the company turned down the offer to acquire its competitor, not in the least because Twimailer's own Twitter account has been closed, and because a lot of users have been complaining about the service.
Sold for $2,500
Twimailer's original developer, Jon Weatley, put the site up for sale on the SitePoint Marketplace in early March, right after he received a number of very positive mentions from promintent Twitter users like Kevin Rose and Tim O'Reilly. The site was put up for sale exactly one day after our own positive review of the service, and it eventually sold for $2,500.
According to Topify, the current seller, who is based in Romania, claims that he is too busy to maintain the service. Other warning signs for Topify were that Twimailer's site features no terms of service (something to think about before you give your Twitter credentials and/or email address to a third party!), and that the site still features Twimailer's now deactivated Twitter account. Twimailer also never notified its users about the sale.
This whole affair does indeed seem rather shady and we think Topify's developers did the right thing when they decided not to buy Twimailer. Topify's developers couldn't help to note that Twimailer, because of its small size, wouldn't be much of an asset anyway.
Use Twimailer? Change Your Password
Twimailer didn't take users' Twitter credentials, but, as we pointed out in our review, users had to forward their direct messages and other email from Twitter to the service, which would include any password change notifications. Twimailer is currently down, and if you are paranoid about somebody hacking into your Twitter account, this might be a good time to change your password.
More and more services are now using Twitter's oAuth implementation, which should make using third-party applications a lot safer by default. For Twitter web apps that don't use oAuth yet, however, it is worth considering their terms of service and other factors to see if this is a reputable company. Even then, though, there are still some risks, as this example from Twimailer clearly shows.
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Frederic, thank you for posting this! We want as many people to know of it, so they be cautions about such issues in the future (and to warn Twimailer users).
I think that besides having some sort of TOS, people should check who is behind the application. There was never a mention of who developed Twimailer, which from the beginning looked suspicious to me. On the other hand - you can easily tell who is behind Topify, Twitterfeed, Twittercounter and many other popular Twitter applications. You can trust these application because you know that their creators will never risk their reputation for quick money or dubious acts.
Arik
This was quite a shock when I saw this story pop up in my RSS reader.
When this was originally developed we never considered there to be any security issues with twimailer. After all, all you're doing is changing your default twitter email and not handing over any of your login credentials.
This was also before twitter flipped the oAuth switch on so when this was developed there really was no other way around it.
It was later suggested that this could still *potentially* be a risk regarding twitter password resets. This was obviously NEVER our intention.
"Twimailer also never notified its users about the sale."
Actually, they were. From what I understand the new owner sent out an email to all twimailer users.
Thanks for the original writeup and for continuing to follow the story. Luckily, now twitter has rolled out oAuth this kind of thing will no longer be an issue.
Twitter is a social networking site. When did we become a society wanting to know what a perfect stranger is having for lunch? I never really took the thought of social networking sites as having the greatest defenses against hackers and your articles point is well taken.
Jon, the surprise is elsewhere.
The issue is that you sold this application without being transparent to your users. This is unrelated to the oAuth implementation you are evoking. This is not a security debate but a trust debate with users.
I see you have experience in selling apps you are building (like Twollow and Twitority). i assume you should be aware of that
I got the email but I don't think it was very clear that the site had been purchased.
Richard, indeed it is not clear but Topify seems to explain that well on their blog and it is mentionned on YesThat.com although without details on the owner
This is why i switched from Twimailer to Topify
thanks to this blog for bringing some light
Wow, well, it is nice to be proven right every now and again. Guess my point to NOT give Twimailer your ACTUAL Twitter email account proved prescient:
http://factoryjoe.com/blog/2009/03/04/how-to-use-twimailer-securely/
Posted by: factoryjoe.com
|
April 7, 2009 8:44 PM
FactoryJoe, this is not saving the fact that you covered a service many users won't trust anymore whatever the method you are using. So i guess you are not that right...
By the way if any Read Write Web reader would like to try topify here are 50 invites
http://www.topifybeta.com/invite.php?id=b93559b3f3d4a4d2176c040519bf2d83
Ouriel Ohayon
Ouriel,
How about OAuth for Topify then. And what guarantees are you offering that you aren't going to be EVIL?
I had previously warned people about services like this and to use the trick of setting an email filter to redirect emails rather than changing the registered email address in the Twitter account.
Now visiting Twimailer.com results in a MySQL error.
I suggest anyone who had changed their Twitter account's registered email to the one Twimailer provided, restore the email address as soon as possible.
Joe - while you can never be sure, at least in our case you know who is behind the service: me and Ouriel. Do you really believe that we will risk our reputation in order to gain some quick money?
Re. OAuth - it's on the way... stay tuned :)
I'm the owner of Twimailer.
First of all I want to point this: my conversation with Arik was a private one so he shouldn't have made it public. He's been playing dirty from the beginning.
Also, saying bad things about your competition isn't good business practice. In fact, our sign-ups grew with 10% since Arik started talking bad about us.
As you can see on http://mvdmedia.ro I have more than 20 projects and I'm working on 3 new ones so this was the real reason to sell.
Since I've been thinking of our users I've tried to let them on the good hands of Topify. But I think they're afraid of growth :)
As for the transparency: every new user that signs-up on Twimailer received an email about the acquisition.
UPDATE: speaking of bad business practice :) I just posted a comment on the Topify blog and they've deleted it. Funny :)
Just when I started to like twimailer and got used to it, it's down (sold I read here). I didn't got any e-mail about the sale, I just found out now when I was checking twimailer.com which is down.
artgrrl: http://twimailer.com is alive and kicking. It was down because we've changed the servers. Check it out!
@Toni: thanx, I see it now, hopefully I get new e-mail about followers soon
Toni -
When you emailed us you never asked not to share the conversation. Besides that all of the information we posted is publicly known - including the information about the sale, the fact that Twimailer's Twitter account was suspended or that you have issues lately.
As for the email that every new user gets - it says that you're invested in Twimailer rather than bought it. For new users it doesn't have much difference, but for the already exiting users it does have a significance the choice of words.
And we don't delete comments from our blog. It was marked as spam by Disqus (see here: http://twitpic.com/2zu99) - maybe it says something about you...
Good luck with your projects.
I just switched my own Twitter account from Twimailer to Topify. It was very simple (and I'm much less worried about security) because I never actually changed my email address in my settings on Twitter.com. All routing of messages to Twimailer (and now to Topify) was (and is) handled by a filter in Gmail. I know Chris Messina wrote about using Twimailer safely using a very similar filter, but I just published a post that applies to Topify as well: http://voyagerfan5761.blogspot.com/2009/04/how-to-safely-use-twitter-notification.html
thanks for comments