Discord gives servers a way to intercept spam and harmful content, will expand premium memberships

Discord is introducing a native way for servers to preemptively detect and block harmful messages and spam. The tool, called AutoMod, is available today and will allow anyone who moderates one of Discord’s server-based communities to create a custom list of words that the new bot can scan for and intercept.

When one of the target words is detected, the bot can automatically block that message so it never hits the server, send an alert to a specific channel to give moderators the head’s up or put a user in “timeout” by temporarily turning off their ability to send messages. Discord will also provide a pre-built list of words and phrases that are commonly flagged by mods that can easily be toggled on without building a custom keyword list.

“I think one of the big pain points that we’ve heard from a lot of moderators is that they spend a lot of time policing their servers, as opposed to actually doing the things that they want to do, like running events [and] creating culture,” Discord Head of Creator Product Marketing Jesse Wofford told TechCrunch.

Unlike existing tools, Discord’s AutoBot can preemptively scan conversations, identifying anything with the targeted keywords before it ever appears in chat. External tools previously didn’t have the permissions required to see messages before they hit a server and instead would automatically moderate them a few seconds afterward. Discord says that it will give its developer community the ability to build onto AutoMod’s preemptive detection ability now that the new native tool is in the wild.

“There are a lot of moderation bots on Discord and I think they’ve actually been doing a lot of the heavy lifting for now,” Wofford said. “We’ve taken a lot of inspiration from them in terms of what’s working for them and actually chatting directly with developers and chatting to our admins about what they like.”

Discord is increasingly building some of the features its users previously incorporated through external services into its core app. Users have long relied on the app’s external ecosystem of plug-in tools to do everything from welcoming new server members and scanning for harassment to DJing music within channels and playing mini games.

Wofford says that Discord wants developers to “come along for the ride” and remain relevant even as the company integrates features that external bots previously provided to its community.

Beyond introducing AutoBot, Discord also announced that it will expand premium memberships, a Patreon-like way for active community members to pay for perks and additional server access.

Discord first announced a pilot program for premium memberships back in December. The company started by giving a small cluster of communities access to the feature set, which allows servers to make a portion of or all of their content available to paid members only. The early servers that tested premium memberships included a game tutorial community, The Trans Community Center and Stream Professor, which offers guides for people getting into livestreaming.

The idea is to both make the work of maintaining a Discord community more “sustainable” and to bring outside payments users make for premium content on Patreon or elsewhere into Discord itself.

This summer, Discord will begin allowing more servers to enable premium memberships, but the company isn’t yet opening the feature to anyone. Discord will allow servers in the U.S. with under 500 members to apply for the program, but will still hand review those communities to ensure that the rollout is smoothly and the company learns along the way.

“We want to make sure that we’re being very thoughtful about people coming in,” Wofford said. “We think that we’re creating a really new paradigm for career monetization, when it comes to the idea of community being something of value you can monetize. And I think we’re playing the long game here.”

Discord is also introducing two new resources for mods and admins that manage communities: a community resource center stocked with educational information to help servers get up and running and a special hub where community admins can interact with Discord’s staff, get news and join events.

Workrise fixes API that spilled users’ personal information

Workforce management unicorn Workrise has fixed an exposed API that was spilling some users’ personal information.

The Austin, Texas-based startup, which previously went by RigUp, was founded in 2014 as a marketplace for on-demand and skilled labor in the oil and gas industry. The company changed its name to Workrise in February 2021 to accommodate a broader set of energy sectors, like solar, construction and defense. By May 2021, Workrise said it had raised $300 million at a $2.9 billion valuation. But last month, Workrise announced layoffs that reportedly hit hundreds of the company’s 600 employees after the mid-pandemic pivot failed to pan out.

Now, a security researcher who goes by the handle Rzlr told TechCrunch that they found an exposed Workrise API that allowed anyone to retrieve personal information about subcontractors directly from Workrise servers without needing a password.

The API was able to return names, email addresses and some employment details about subcontractor’s work, and names and email addresses about the people who provided references for the subcontractors, such as their former colleagues and managers.

In simple terms, an API allows two things to talk with each other over the internet, like a smartphone app, a Peloton bike, or door locks that need to communicate with their servers. In this case the unauthenticated API could be queried using a web browser by plugging in a unique four-digit user ID that corresponds with a subcontractor’s review. But the user IDs were sequential, allowing anyone to access another subcontractor’s information simply by changing the user ID by a single digit, a common security flaw known as an insecure direct object reference bug — though Rzlr said not every digit returned a valid response.

Several of the exposed records seen by TechCrunch were created as far back as 2019 and marked as “draft.”

Rzlr said in their limited testing of 1,000 records, they found more than 920 records with names and email addresses. Rzlr said the API did not limit the amount of data that could be downloaded, which they warned could have presented a scraping risk.

A screenshot shared with TechCrunch showed that the data could be easily scraped.

TechCrunch emailed CEO Xuan Yong and COO Mike Witte, who did not respond, but a short time later the API was no longer publicly accessible and was protected by a login page. In an emailed response, Eric Murphy, Workrise’s vice president of security, told TechCrunch: “Users maintain public profiles by default,” said Murphy. “To the extent Workrise determines any active user data was exposed that was not intended to be public, Workrise plans to notify those users directly.”

Rzlr said they contacted several Workrise email addresses on April 22 — including Murphy’s and the company’s main security email address — about the exposed API. When asked why the API was not secured for two weeks until TechCrunch contacted the company, Murphy said the researcher’s emails were marked as spam.

Workrise also fixed a second API issue that allowed anyone to obtain users’ referral codes, which could then be used to query the API to obtain the name, email address, phone number and the referral payment amount of users who invited others to join the site.

When asked if the company had carried out security audits of its systems, Murphy said the company had undergone “multiple” third-party audits but declined to name the company that allegedly performed them.

ProtonMail buys email alias startup SimpleLogin

Proton, the Geneva, Switzerland-based startup behind the eponymous E2E encrypted webmail service ProtonMail, has acquired French startup SimpleLogin, which offers a freemium, open source service for creating email aliases to let people shield their actual email address when they sign up for digital services.

Paris-based SimpleLogin was founded back in 2019 and works as a browser extension, web app and mobile app — also offering users with a dashboard where they can disable aliases (such as if one starts getting spammed); and manage multiple real email addresses (i.e. if they have a number of email accounts which they want to be able to send aliased emails from).

The startup has grown to more than 100k users, with more than 2M email aliases created to date. We’re also told its monthly growth rate is in the double digits.

There is a fair amount of service overlap already between SimpleLogin and Proton with around a quarter of SimpleLogin users also being ProtonMail users, according to a Proton spokesman, who talks up “strong synergies between us”.

Commenting on being acquired in a statement, Son Nguyen Kim, founder and CEO of SimpleLogin, added: “SimpleLogin’s mission is to protect your online identity… We like Proton’s mission, its transparency, open-source nature, and user-first culture. It’s exciting to know what we can do with Proton experience and resources.”

Financial terms of the acquisition are not being disclosed.

In a blog post announcing the acquisition, Proton’s founder and CEO Andy Yen also flags the overlap, writing: “We have been following SimpleLogin closely for a long time as many ProtonMail users utilize it to prevent their ProtonMail addresses from being leaked to spammers.”

“SimpleLogin is a complementary service to ProtonMail,” he adds. “ProtonMail protects your data privacy with encryption, while SimpleLogin prevents malicious actors from discovering your actual email address by hiding your email.“

Proton’s plan is to more deeply integrate SimpleLogin functionality into ProtonMail — meaning its wider user-base will be able to hide their email addresses using SimpleLogin without having to sign up separately for the latter service.

Proton will also be maintaining SimpleLogin as a separate service, per Yen.

“If you already use SimpleLogin with ProtonMail, things will continue to work the same as before,” he says. “SimpleLogin will continue working as a separate service, and the SimpleLogin team will continue building new features and adding functionality but now with the benefit of Proton’s infrastructure and security engineering capabilities.”

SimpleLogin’s team will continue to operate out of Paris where Yen says Proton will now be actively seeking to recruit from as it continues to expand the business, adding that its hope is to create “dozens” of jobs in the coming years.

The acquisition marks a further expansion of Proton’s suite of services — which as well as E2E web mail for individuals and business users includes an own brand VPN, a calendar product and cloud storage (aka Proton Drive).

Sustaining a privacy-focused business model which does not rely on data mining users to generate revenue encourages expansion into additional, aligned service areas to maximize cross-selling opportunities. Hence we’ve also seen the non-tracking browser, DuckDuckGo, bolting on a number of additional services in recent years as competition hots up for privacy-centric services.

Most pertinently, DuckDuckGo launched an email protection service last summer which offers a fairly similar email shielding feature as SimpleLogin — providing users with a free @duck.com personal email address (albeit merely to forward email to the user’s regular inbox; DuckDuckGo claims it doesn’t save your emails and isn’t (as yet) offering a like-for-like webmail service).

It’s clear that increasing competition in the privacy space is leading to previously once very distinct services to range further and start to overlap territorially. For users the upshot is more fully featured privacy products that promise to shield more of their online activity from prying eyes.


Cloaked raises $25M Series A to generate privacy-friendly identities on the fly

Cloaked, a Boston-based startup that allows users to generate unique email addresses and phone numbers when creating online accounts, has secured $25 million in Series A funding.

Founded in 2020 by brothers Arjun and Abhijay Bhatnagar, Cloaked allows privacy-conscious individuals to create unique identifiers. The service, available as an app and a browser extension, creates “cloaked” identities — such as emails, phone numbers, passwords, and credit card numbers — that can be unique to any given online service. Cloaked operates like a password manager, but rather than saving a user’s passwords, the platform creates and replaces personal information with “cloaked” data.

Unlike other services that generate identifiers, such as Apple’s Hide My Email, Cloaked’s smart settings make it easy for individuals to personalize and customize how each identity works. For example, individuals can choose what, when, where and with whom they share information, and each email address and phone number can be turned on/off, snoozed, expired, and automatically updated if compromised. Users can also choose whether they want messages to auto-forward to personal emails and phone numbers or for them to live within Cloaked.

Cloaked says it keeps personal information private from the start, with every user owning an encrypted database where all their personal information is stored, giving them the keys and control to manage or delete at any point.

“People liked this idea of feeling known, but not surveilled,” Abhijay tells TechCrunch. He said that those currently using Cloaked in an early preview are creating identifiers for online banking to online dating. “We really want to rebuild people’s relationship with not just their data, but technology as a whole,” he said.

Cloaked offers a service like a password manager but for generating online identities. (Image: supplied)

Cloaked, which is currently a free service but plans to move to a freemium model, tells TechCrunch that its Series A funding, which was co-led by Lux Capital and Human Capital, will help it to continue to build out its product and exit beta. The startup now has a 26-strong team of fully-remote employees and is looking to hire. “We’ll be sticking to remote-first,” Arjun says. “This broadens our ability to hire the best taken in the world wherever they are, and we want to make sure that our team is full of the smartest people around.”

Cloaked is the second startup founded by the Bhatnagar brothers. Prior to launching their latest venture, they founded and sold Hey! HeadsUp, an online platform that allows users to add tasks to other peoples’ schedules without sharing multiple calendars and event invites.

Too much email? Try Gated, which asks unknown senders to make a donation first

If you aren’t drowning in email these days, you either don’t have an email account or you are a very young person who marketers haven’t discovered quite yet (they will!).

To push back against the assault, a 10-month-old, Bay Area-based startup called Gated has emerged with an approach to help both overwhelmed email recipients and hopefully benefit society at large. The big idea: to force unknown senders to donate to a nonprofit chosen by the email recipient in order to get into their inbox. Want to tell strangers about your event next month, pitch your company, sell your gizmo? That’s fine, but it’s going to cost you — maybe a lot, depending on who you’re trying to reach.

Gated — founded by Andy Mowat, an angel investor who was most recently the VP of growth operations at the employee engagement startup CultureAmp —  works by creating a separate folder in one’s Gmail account. According to Mowat, the software automatically builds a list of allowed senders based on who the email holder has communicated with previously; when unknown senders reach out, they’re promptly moved into this separate folder, where they’re told they can only reach the user’s inbox if they make a donation to that person’s charity of choice. The individual sets the price — beginning with a minimum of $2 per email — after which 70% of the payment goes to the (vetted) nonprofit. The rest flows to Gated, whose software is free.

Unsurprisingly, venture capitalists, who are the target of hundreds of pitches each day, love the idea. Indeed, Gated is announcing that it has raised $3.3 million in seed funding led by Corazon Capital, with participation from Precursor Ventures, Burst Capital, Tuesday Capital and other early-stage funds.

Of course, as much as the concept may resonate with potential users (waves hand), it also raises questions, including, first and foremost, around privacy.

For its part, Gated says it never reads the contents of any message. “We’re only looking at the metadata, the ‘to’ and the ‘from,'” says Mowat. Even still, there are only so many people being flooded by enough strangers’ requests that Gmail filters aren’t enough. Some of those people are likely influential in their own way and might not love Gated mapping their connections over time.

Another challenge is that not everyone uses Gmail, which is the only platform to approve the use of Gated’s software to date. (Mowat says the company is going through the “next round of reviews” with Microsoft, noting that some email platforms have “had some other partners burn them in the past” so they “put everyone through a security review.”)

Gated is also not a lucrative business to start, though as with most startups, that could surely change. As Mowat tells us, a large chunk of the revenue Gated expects to receive will end up going toward payment fees to cover the cost of all these transactions. While he and his small team are already thinking about micropayments schemes so Gated isn’t eaten alive by credit card fees, it’s not there yet.

As for how Gated grows, beyond articles like this one, the outfit is counting on a heavy viral component to spread the word at first. That seems like a reasonable approach, given that even two weeks ago, Gated already had a wait list of 2,500 people, according to Mowat, despite having not yet launched publicly.

Later, Gated also plans to develop a business-to-business product, where marketers work with Gated to develop a budget that allows their sales teams to send out a certain number of emails per month.

By the way, if you’re wondering: An email recipient who uses Gated is under no obligation to answer an email, no matter how much someone has paid to get it into their Gmail account.

According to Mowat, the response rate the company is seeing with its beginning user base is higher than average. “Between 40% to 60% of all donated emails are replied to, with some users replying to every single email because they really appreciate people respecting their time.” Others, he adds, still reply “very infrequently.”

It’s also worth noting that a “donor” does not have unfettered access forever to the inbox of an email recipient. “There’s some subtleness to it,” says Mowat, but basically, if a recipient responds to an email, the email sender is placed in a known sender group by default. Still, that sender can be dragged back to that Gated folder at any time.

And there’s a third option called “mute.” Says Mowat, “That basically means, ‘Don’t send them another challenge email. But also don’t put them in my inbox.'”

Google discovers threat actor working as an ‘initial access broker’ for Conti ransomware hackers

Google’s Threat Analysis Group has observed a financially-motivated threat actor working as an intermediary for the Russian hackers, including the Conti ransomware gang.

The group, which Google refers to as “Exotic Lily,” acts as an initial access broker, finding vulnerable organizations and selling access to their networks to the highest bidder. By contracting out the initial access to a victim’s network, ransomware gangs like Conti can focus on the execution phase of an attack.

In the case of Exotic Lily, this initial access was gained through email campaigns, in which the group masqueraded as legitimate organizations and employees through the use of domain and identity spoofing. In the majority of cases, a spoofed domain was nearly identical to the real domain name of an existing organization, but changed the top-level domains to “.us,” “.co” or “.biz.” In order to appear as legitimate employees, Exotic Lily set up social media profiles and AI-generated images of human faces.

The attackers, which Google believes are operating from Central or Eastern Europe due to the threat actors’ working hours, would then send spear-phishing emails under the pretext of a business proposal, before ultimately uploading a payload to a public file-sharing service such as WeTransfer or Microsoft OneDrive.

“This level of human interaction is rather unusual for cybercrime groups focused on mass-scale operations,” notes Google researchers Vlad Stolyarov and Benoit Sevens in a blog post shared with TechCrunch before publication.

These malicious payloads initially took the form of documents containing an exploit for a zero-day in Microsoft’s MSHTML browser engine (tracked as CVE-2021-40444), before the attackers switched to the delivery of ISO disk images containing hidden BazarLoader payloads. Google researchers say this shift confirms Exotic Lily’s relationship with a Russian cybercrime group tracked as Wizard Spider (also known as UNC1878), which is linked to the notorious Ryuk ransomware that has been used to target businesses, hospitals — including U.S-based Universal Health Services — and government institutions since 2018.

While the nature of this relationship remains unclear, Google says that Exotic Lily appears to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware.

Exotic Lily, which was first observed in September 2021 and is still active today, was sending more than 5,000 phishing emails a day to as many as 650 organizations during the peak of its activity, Google said. While the group initially seemed to be targeting specific industries such as IT, cybersecurity and healthcare, it has more recently begun attacking a wide variety of organizations and industries, with less of a specific focus.

Google has also shared indicators of compromise (IOCs) from Exotic Lily’s large-scale email campaign to help organizations defend their networks.

Google Docs now lets you draft emails with others and export them to Gmail

Google is introducing a new feature in Google Docs that aims to make it easier to collaborate on an email draft, the company announced on Wednesday. The new Google Docs email draft template lets users draft emails and then export them to Gmail.

The launch is part of Google’s Smart Canvas push that leverages the “@ menu,” which lets users quickly perform actions. The email draft template can be accessed by entering “@email” in a Google Doc. Doing so will surface a template that includes To, Cc, Bcc and Subject lines. When you’re ready to send the email, you can select the Gmail icon to export your draft to the emailing service. A Gmail compose window will pop up and all of the email fields will be automatically filled out with the information you entered in the email draft in the Google Doc.

gmail email draft

Image Credits: Google

“We’re making it easy to collaborate on an email draft in Docs with the new email draft template,” Google said in a blog post about the new feature. “You can mention people in the recipient fields using the @ menu without having to remember their email addresses, and collaborate on the message body using comments and suggestions.”

The feature was first teased in February and is now starting to roll out to all Google Workspace customers, as well as legacy G Suite Basic and Business customers. Google hasn’t mentioned availability for personal use, but TechCrunch has reached out to the company to learn more. It’s worth noting that Gmail features often first roll out to G Suite customers before launching for consumers. For instance, business customers got access to Gmail’s deeper integrations with Chat, Meet and Rooms before consumers did. 

The new email draft template will be useful in instances where teams need to collaborate on an email together. Although you could always copy and paste the text from Google Docs and Gmail, this new integration makes it easier to use both of these products in one place and get things done faster.

Nvidia confirms it is investigating a cybersecurity incident

U.S. chipmaker Nvidia has confirmed that it’s investigating a cyber incident that has reportedly downed the company’s developer tools and email systems.

Nvidia told TechCrunch in a statement that the nature and scope of the incident are still being evaluated, adding that the company’s commercial activities have not been impacted as a result.

“We are investigating an incident. Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time,” the statement read.

While Nvidia isn’t sharing any more details about the incident, The Telegraph reports that the company’s email systems and developer tools have been suffering from outages over the last two days following a “malicious network intrusion.”

Citing an insider, the report claims that the company’s systems was “completely compromised,” but added that portions of its email systems had started working on Friday.

It’s not yet clear whether hackers obtained data on Nvidia or its customers, nor whether any of its partners were affected. Nvidia has not yet identified the culprit, and customers say they had not been informed of any incident, according to The Telegraph’s report.

News of a potential cyberattack at Nvidia comes just weeks after the Santa Clara-based company terminated its $40 billion bid to acquire British chip designer Arm. The company said the decision was mutual, resulting from “significant regulatory challenges preventing the consummation of the transaction, despite good faith efforts by the parties.”

Shortwave wants to bring back Google Inbox

Google’s Inbox experiment was a glorious thing while it lasted. Launched as an invitation-only service in 2014, it was the company’s next-gen email client. Because it was so good, it’s no surprise Google shut it down in 2019. Thankfully, though, a group of ex-Google/Firebase employees is now resurrecting the Inbox experience — with a bit of the Slack user experience mixed in, too.

The team behind Shortwave (CEO Andrew Lee, CPO Jacob Wenger and CTO Jonny Dimond) all previously worked on Firebase at Google, as did many of the company’s other early employees.

[gallery ids="2272013,2272011,2272012"]

Like Inbox for Gmail, Shortwave is essentially a Gmail-centric email client, and you can easily switch back and forth between the two. But it’s also much more than that. Think of it more as Inbox re-imagined for 2022.

As Lee told me, the team took two important inspirations from Inbox. “One is the idea that you should work with your email in groups,” he said, referring to Inbox’s ability to bundle emails by topic. “As the volume of email grows in your inbox, it becomes impractical just to page through every single email. Even if you have all the keyboard shortcuts and your app is super optimized, just scanning through all that stuff takes a long time.” While you want to know about automated emails like calendar notifications for example, chances are you’ve already accepted those invites in your calendar, for example, so marking all those as read or snooze them for later with a couple of clicks saves a lot of time.

Image Credits: Shortwave

In addition, the team also built Shortwave with the idea that your inbox, whether you like it or not, is a to-do list. “You can either give users the tools to manage [their inbox] like a to-do list, or you can force them to manage it in their heads,” Lee explained. “They added a literal checkmark in Inbox to say, ‘hey, you’re marking this thing as done,’ as well as other to-do list-type features. We’ve done the same thing.”

Image Credits: Shortwave

In Shortwave you can pin emails to the top of your inbox, for example. To me, that’s a better way of dealing with messages than using Gmail’s star feature, but that may just be a personal preference (I often star emails, only to then never return to them). You can also reorder messages in your inbox as needed — or organize them into your own custom bundles.

As you would expect from a modern email client, it also features the ability to snooze messages.

On top of the Inbox experience, the team also implemented features from modern chat clients like Slack. You can respond with GIFs and emojis, for example, and Shortwave features Slack-like reactions. There are also channels for group conversations and the usual @mentions, in addition to other features that are meant to make group conversations easier, especially in a business setting.

When everybody in a conversation is on Shortwave, you will also get typing notifications and you can see if others are online.

I’ve been testing Shortwave for a few days now and it does remind me of the early days of Inbox (though unlike the iOS app, the Android app is still a bit rough around the edges, something the team is aware of).

As Lee told me, the team is mostly targeting business users. And while anyone can use the service for free, it’s using a Slack-like monetization model where users who want to have more than 90 days of email history in the service will have to pay.

Image Credits: Shortwave

Shortwave also today announced that it has raised a $9 million Series A round, which it actually closed all the way back in April 2020, right after the team got working on the product. The round was led by USV and Lightspeed. The co-founders also invested in this round, as did Flybridge Capital and Afore Capital, as well as a number of angels, including Immad Akhund (CEO, Mercury), Peter Reinhardt and Ilya Volodarsky (the founders of Segment) and Oliver Cameron (founder of Voyage).

How to build and maintain momentum in your fundraising process

Momentum is the single most important factor that helps startup founders raise capital.

In 20+ years of working to connect founders with potential investors, I’ve learned that there’s a direct correlation between the speed of your fundraising process and the probability of actually getting funded.

Startup investors are incredibly smart people who eat, sleep and breathe these kinds of investments. The best investors are pros at sensing whether a deal has momentum or not — or worse, whether a deal has gone stale.

When you’re raising venture capital for your startup, you will have to hustle like you’ve never hustled before. As CEO, your primary job is building and maintaining momentum for your investment deals.

Once you have set up and organized your fundraising funnel, it’s go time.

Check out these tips for creating momentum in your next fundraising round:

Great hack for asking for email introductions

Asking for introductions to your target investors is one of the best places to concentrate your efforts at the beginning of a round. If done well, these email intros can get the ball rolling quickly.

The trick is to make it as easy as possible for your connector to do their job.

Before you send your first email, map out mutual connections between you and your target investors. You may find that you have some “power connectors” in your network — people who are already in touch with several of your targets. Put these people at the top of your list.

If your go-to-market slide raises eyebrows at a couple of meetings, it’s time to try a different tact.

Reach out to your connector with a brief email that says something like: “Hey, I’m raising money and I see you’re connected to these investors on my target list. Do you know them well enough to make an intro?”

After your connector responds with a list of introductions they’re willing to make, here’s the best way to help them help you:

  • Start a clean email thread to your connector — one for each target investor.
  • Write a clear subject line: “[Connector], can you introduce me to [target investor]?”
  • At the end of the subject line, include at-a-glance info about your company: company name, the funding round + the single most exciting data point about your business
  • Keep the email body very short. Investors get dozens of these emails a day, so keep yours to four to five sentences:
    • Use one sentence to say what your company does and link to your website.
    • Reiterate that you’re fundraising, and ask for the intro.
    • Mention any connections you may have with the investor (Universities, past employers, etc.)