Nut: A hacker spent six months lurking inside Cardpool's database in 2019. This was while the company was being sold, mind you. They then walked away with almost a million gift card codes. And the company? They never told anyone.
Tara: Six months? That's, like, a very long time to be lurking in someone's system, no? And they didn't even know?
Nut: I mean, six months. Yeah. Unbelievable, isn't it? The article we found, it's called 'Cardpool (Winter 2010)' from Startups.RIP. It just lays bare how this company, which, on the outside, it looked like a brilliant idea, but... deep down, it just had these fundamental problems. They kept catching up to them.
Tara: Okay, so tell me, what was the brilliant idea? Because gift cards, they are a huge market, no?
Nut: Well, okay, so the core idea, it's... it came from these two founders, Anson Tsai and Timothy Wong. They were in Y Combinator in 2010. And it seemed brilliant, right? Billions of dollars in gift cards just sitting there, unused, every year. People get them for shops they never go to.
Nut: So, they thought, 'Let's make a marketplace. A place where you can actually buy and sell them.'
Tara: Ah, okay, I see. Like, I get a gift card for a shoe store, but I never buy shoes, so I sell it for cash, and someone who loves shoes buys it at a discount.
Nut: Exactly, that's it! And the idea was so good, you know who led their angel round? The founder of StubHub himself, Jeff Fluhr. Not just him, a whole... a whole who's-who of Silicon Valley investors, all jumped in. It really, it just seemed like a total home run.
Tara: With that kind of backing, that's quite something. So, what went wrong then? Was it, I don't know, just bad management?
Nut: No, I mean, the article, it really gets into this. It's not just bad management, no. Because building a marketplace, you know, it's not just connecting people who want to buy and sell. It's about the thing you're trading. And a gift card, it's... it's just not like a concert ticket.
Tara: No, it's not. A ticket is for one specific event at one specific time, no? And then it's used.
Nut: Right, exactly! The article calls it a 'bearer instrument.' And that's key. Because it's essentially a liability on a retailer's books. Which means... well, it means it's a total magnet for fraud.
Tara: Hmm, yes, I know. But with sneakers, you can authenticate them, no? You can check them. How do you 'authenticate' a digital gift card balance that can be drained in a second by the original owner, even after they sold it to you?
Nut: You've hit the nail on the head, actually. The article points out, like, three really big problems with the whole thing. The first one? 'Thin Spreads.' Their business model was trying to capture this tiny difference, you know? Between what someone would sell a card for... maybe ninety percent of its value.
Tara: Uh-huh.
Nut: And what a buyer would pay, which, they wanted it for maybe twenty, thirty percent off. So the margins were just microscopic. They needed massive, massive volume just to make any money.
Tara: So, even if they had a good system, the profit on each card was so small. That makes it hard to invest in things like, I don't know, security, no?
Nut: Yes, exactly. And that takes us to the second big problem: 'Chronic Fraud Exposure.' Because, you see, unlike a concert ticket, a gift card balance? The original seller could use it after they've sold it on the platform.
Tara: What?
Nut: Yeah! You verify the balance when they sell it to you, right? And then they just go and use it themselves. And the marketplace, Cardpool, was always on the hook for that.
Tara: Oh, that's just... that's horrible. No. So the buyer gets a card from Cardpool, and it's empty? When they try to use it? That's a very, very fast way to lose customer trust. So fast.
Nut: Yes, totally. And then the third problem, and this is a big one: 'No Durable Competitive Moat.' Cardpool was already third in market share when they got acquired, you know? There was just nothing, no proprietary tech, nothing about their model that no one else could do.
Tara: So, anyone could do it.
Nut: Anyone! So their only real defense, their only hope, was like, operational excellence. Which, with all these other issues? Impossible. Very difficult.
Tara: So it sounds like the idea itself, I mean, it looked good on paper, but it just had these fundamental issues from the start. No, it wasn't just fragile. It wasn't easy to build a real business at all.
Nut: Yeah, that's the article's point. And, believe it or not, it just got worse. This company, it was sold, like, not once, but three separate times.
Tara: Three times?
Nut: Yeah. First to Blackhawk in 2011, then a private buyer in 2019. And the article, it really argues that these transitions, they just... they really degraded the company's resilience. Just made it weaker.
Tara: Ah, okay. So it was already weak, and then being sold just made it weaker, less able to handle these problems?
Nut: Yes, exactly! And this, this is the really wild part. That's exactly when that massive, hidden data breach we started with, it happened. While it was being sold the final time in 2019, that's when the hacker was in there for six months. It's like the company was already crumbling from the inside, you know? Just... falling apart.
Tara: But if StubHub's founder and all these smart investors put money into it, surely they saw potential? Maybe it was a brilliant idea, but the execution and the later sales just killed it?
Nut: You know, I... I get what you're saying. Because a YC company, right? With that kind of investor list, like you said, a lot of smart people, they clearly saw potential. Maybe, I don't know, maybe the fraud could have been managed. If there was enough investment, or if the margins weren't so tight... from the very beginning.
Tara: But the article is saying the problem was built into the asset itself, no? A gift card is just different from a concert ticket. You can't change that fundamental nature of it. It's always going to be easy to double-spend.
Nut: But they did try things! They had mobile apps for instant delivery, they even tried peer-to-peer selling. They were trying to innovate around the problem.
Tara: Yes, but if the core business model is so thin, and the fraud is so chronic, how much innovation can you really afford before you're just losing money on every transaction? It sounds like they were trying to fix a leak with a band-aid when the whole pipe was corroded, no?
Nut: I... I still think that if they had, if they had just stayed independent, or maybe, or maybe with a different acquirer... it could have been. It really could have been different. The constant selling, you know, the operational decay... for me, that just, that really feels like the real killer.
Tara: Hmm, I don't know. The article makes a strong case that it was structurally unsound from day one. And the ultimate failure was just a matter of time.
Nut: And the worst part, Tara, is that when it all finally fell apart, when they shut down in 2021... the buyers who had purchased cards? They just lost their money. Completely. No guarantee. Gone. And that data breach, remember? The one we started with? It didn't even come out until after they closed. After the company was already gone. Millions of dollars. Stolen card data. Out there.
Tara: So, not only did the business fail, but it also really betrayed the trust of its users in the end. That's a tough lesson about what a guarantee actually means in a digital marketplace.
Nut: It really, really is. It makes you think. I'm Nut.
Tara: And I'm Tara. This has been Startups RIP's Station.