Comment by crimsontech

> Was it worth it? Yes, it is terrible, shoddy, insecure code, but he proved out a viable business with just a few hundred dollars of investment.

Was it worth it to put all his customers at risk like that?

He is honestly lucky, the "hackers" could have done much worse, it would have been much more profitable for them to go after his customers via his software than to demand money from him had they been financially motivated.

> Third, the hacker has been trying to inject XSS attacks into app

> Now he's hiring a developer to shore it up.

So this is an ongoing attack? He should probably also hire some incident response and get some security consultancy.