Category: UNCATEGORIZED

On the heels of a trove of 773 million emails, and tens of millions of passwords, from a variety of domains getting leaked in January, Microsoft has faced another breach affecting its web-based email services.

Microsoft has confirmed to TechCrunch that a certain “limited” number of people who use web email services managed by Microsoft — which cover services like @msn.com and @hotmail.com — had their accounts compromised.

According to an email Microsoft has sent out to affected users (the reader who tipped us off got his late Friday evening), malicious hackers were potentially able to access an affected user’s e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses the user communicates with — “but not the content of any e-mails or attachments,” nor — it seems — login credentials like passwords.

Microsoft is still recommending that affected users change their passwords regardless.

The breach occurred between January 1 and March 28, Microsoft’s letter to users said. 

The hackers got into the system by compromising a customer support agent’s credentials, according to the letter. Once identified, those credentials were disabled. Microsoft told users that it didn’t know what data was viewed by the hackers or why, but cautioned that users might as a result see more phishing or spam emails as a result. “You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source.”

We are printing the full text of the email below, but a separate email sent to us, from Microsoft’s Information Protection and Governance team, confirmed some of the basic details, adding that it has increased detection and monitoring on those accounts affected.

Microsoft recently became aware of an issue involving unauthorized access to some customers’ web-based email accounts by cybercriminals. We addressed this scheme by disabling the compromised credentials to the limited set of targeted accounts, while also blocking the perpetrators’ access. A limited number of consumer accounts were impacted, and we have notified all impacted customers. Out of an abundance of caution, we also increased detection and monitoring to further protect affected accounts. 

Right now, a lot of question marks remain. It’s unclear exactly how people people or accounts were affected, nor in which territories they are located — but it seems that at least some were in the European Union, since Microsoft also provides information for contacting Microsoft’s data protection officer in the region.

We also don’t know how the agent’s credentials were compromised, or if the agent was a Microsoft employee, or if the person worked for a third party providing support services. And Microsoft has not explained how it discovered the breach. It’s also not immediately known if or how many enterprise customers are affected.

We have asked Microsoft all of the above and will update this post as we learn more.

In this age where cybersecurity breaches get revealed on a daily basis, email is one of the most commonly leaked pieces of personal information. There’s even been a site created dedicated to helping people figure out if they are among those who have been hacked. Have I Been Pwned, as the site is called, now has over 7.8 billion email addresses in its database.

We’ll update this post as we learn more. The letter from Microsoft to affected users follows.

Dear Customer

Microsoft is committed to providing our customers with transparency. As part of maintaining this trust and commitment to you, we are informing you of a recent event that affected your Microsoft-managed email account.

We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account. This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1^st 2019 and March 28^th 2019.

Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access. Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source (you can read more about phishing attacks at https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing).

It is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.

If you require further assistance, or have any additional questions or concerns, please feel free to reach out to our Incident Response Team at ipg-ir@microsoft.com. If you are a citizen of European Union, you may also contact Microsoft’s Data Protection Officer at:

EU Data Protection Officer
Microsoft Ireland Operations Ltd
One Microsoft Place,
South County Business Park,
Leopardstown, Dublin 18, Ireland
dpoffice@microsoft.com

Microsoft regrets any inconvenience caused by this issue. Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence.

I sat down with Menlo Ventures partner Shawn Carolan this week to talk about his early investment in Uber. Menlo, if you remember, led Uber’s Series B and has made a hefty sum over the year selling shares in the ride-hailing company. I’ll have more on that later; for now, I want to share some of the insights Carolan had on his experience ditching venture capital to become a founder.

Around when Menlo made its first investment in Uber, Carolan began taking a step back from the firm and building Handle, a startup that built tools to help people be more productive. Despite years of hard work, Handle was ultimately a failure. Carolan said he shed a lot of tears over its demise, but used the experience to connect more intimately with founders and to offer them more candid, authentic advice.

“People in the valley are always achievement-oriented; it’s always about the next thing and crushing it and whatever,” Carolan told TechCrunch. “When [Handle] shut down, I had this spreadsheet of all the people who I felt like I disappointed: Seed investors who invested in me, all the people at Menlo and my friends who had tweeted out early stuff. It was a long spreadsheet of like 60 people. And when I started a sabbatical, what I said was I’m going to go connect with everyone and apologize.”

Today, Carolan encourages founders to own their vulnerabilities.

“It’s OK to admit when you’re wrong,” he said. “Now I can see it on [founders’] faces, I can see when they’re scared. And they’re not going to say they’re scared but I know it’s tough. This is one of the toughest things that you’re going to go through. Now I can be there emotionally for these founders and I can say ‘here’s how you do it, here’s how you talk to your team and here’s what you share.’ A lot of founders feel like they have to do this alone and that’s why you have to get comfortable with your vulnerability.”

After Handle shuttered, Carolan returned to Menlo full time and made the firm a boatload of money from Roku’s IPO and now Uber’s. Anyway, thought those were some nice anecdotes that should be shared since most of our feeds are dominated by Silicon Valley hustle porn.

Want more TechCrunch newsletters? Sign up here. Ok, on to other news…

IPO corner

• Uber dropped its S-1: We’ve got the basic deets, a rundown on key stakeholders, the company’s plan to help drivers buy stock, a look at all the money it’s has made from global divestitures and a glimpse at the company’s R&D spending for self-driving cars.
• Pinterest is an “undercorn”: The visual search engine set its IPO range at $15 to $17 per share earlier this week. That translates to a midrange valuation of $10.64 billion, nearly $2 billion less than the company’s most recent private market valuation of $12.3 billion, hence “undercorn.”
• PagerDuty pops: The SaaS business’s shares began trading on the NYSE on Thursday, popping more than 60 percent on their debut. 
• Jumia makes history: Jumia became the first startup from Africa to list on a major global exchange this week when it debuted its shares on the NYSE under the ticker symbol “JMIA.”
• Lyft declines: The Uber competitor finished out the week trading at less than $60 per share, significantly below its initial share price of $74. Ouch.

Funds on funds on funds

There were so many fund announcements this week; here’s a quick list.

• Source Code Capital raises $570M
• B Capital nets $406M
• Defy.VC gets $262M
• Slow Ventures grabs $220M
• LiveOak Venture Partners secures $105M
• Octopus Ventures nabs £83M 

Extra Crunch

Lots of great new exclusive content for our Extra Crunch subscribers is on the site, including this deep dive into the challenges of transportation startup profits. Plus: When to ditch a nightmare customer, before they kill your startup; The right way to do AI in security; and The definitive Niantic reading guide.

Lawsuits

Sinema, that one MoviePass competitor, has run into its fair share of bumps in the road. TechCrunch’s Brian Heater hopped on the phone with the startup’s CEO this week to learn more about those bumps, why its terminating accounts en masse, a class-action lawsuit its battling and more.

Photo by Stephen McCarthy / RISE via Sportsfile

Startup capital

• Grab plans to raise $2B more this year
• Online fantasy sports service Dream11 surpasses $1B valuation
• The SoftBank Vision Fund backs travel platform Klook
• Klaviyo raises $150M Series B
• Mos raises $4M for its college financial aid platform 

Battlefield!

TechCrunch’s Startup Battlefield brings the world’s top early-stage startups together on one stage to compete for non-dilutive prize money, and the attention of media and investors worldwide. Here’s a quick update on some of our BF winners and finalists:

• Bouy Labs, which builds IoT monitors for water use and response, was acquired by Resideo
• Connect Med, a telemedicine platform focused on serving the sub-Saharan African market, has sold to Merck 
• Pi, a wireless charging startup, has rebranded to Spansive as it expands to new countries
• Unbound brings the first ever high-fashion jewelry vibrator to market

#Equitypod

Researchers at Princeton University have built a web app that lets you (and them) spy on your smart home devices to see what they’re up to.

The open source tool, called IoT Inspector, is available for download here. (Currently it’s Mac OS only, with a wait list for Windows or Linux.)

In a blog about the effort the researchers write that their aim is to offer a simple tool for consumers to analyze the network traffic of their Internet connected gizmos. The basic idea is to help people see whether devices such as smart speakers or wi-fi enabled robot vacuum cleaners are sharing their data with third parties. (Or indeed how much snitching their gadgets are doing.)

Testing the IoT Inspector tool in their lab the researchers say they found a Chromecast device constantly contacting Google’s servers even when not in active use.

A Geeni smart bulb was also found to be constantly communicating with the cloud — sending/receiving traffic via a URL (tuyaus.com) that’s operated by a China-based company with a platform which controls IoT devices.

There are other ways to track devices like this — such as setting up a wireless hotspot to sniff IoT traffic using a packet analyzer like WireShark. But the level of technical expertise required makes them difficult for plenty of consumers.

Whereas the researchers say their web app doesn’t require any special hardware or complicated set-up so it sounds easier than trying to go packet sniffing your devices yourself. (Gizmodo, which got an early look at the tool, describes it as “incredibly easy to install and use”.)

One wrinkle: The web app doesn’t work with Safari; requiring either Firefox or Google Chrome (or a Chromium-based browser) to work.

The main caveat is that the team at Princeton do want to use the gathered data to feed IoT research — so users of the tool will be contributing to efforts to study smart home devices.

The title of their research project is Identifying Privacy, Security, and Performance Risks of Consumer IoT Devices. The listed principle investigators are professor Nick Feamster and PhD student Danny Yuxing Huang at the university’s Computer Science department.

The Princeton team says it intends to study privacy and security risks and network performance risks of IoT devices. But they also note they may share the full dataset with other non-Princeton researchers after a standard research ethics approval process. So users of IoT Inspector will be participating in at least one research project. (Though the tool also lets you delete any collected data — per device or per account.)

“With IoT Inspector, we are the first in the research community to produce an open-source, anonymized dataset of actual IoT network traffic, where the identity of each device is labelled,” the researchers write. “We hope to invite any academic researchers to collaborate with us — e.g., to analyze the data or to improve the data collection — and advance our knowledge on IoT security, privacy, and other related fields (e.g., network performance).”

They have produced an extensive FAQ which anyone thinking about running the tool should definitely read before getting involved with a piece of software that’s explicitly designed to spy on your network traffic. (tl;dr, they’re using ARP-spoofing to intercept traffic data — a technique they warn may slow your network, in addition to the risk of their software being buggy.)

The dataset that’s being harvesting by the traffic analyzer tool is anonymized and the researchers specify they’re not gathering any public-facing IP addresses or locations. But there are still some privacy risks — such as if you have smart home devices you’ve named using your real name. So, again, do read the FAQ carefully if you want to participate.

For each IoT device on a network the tool collects multiple data-points and sends them back to servers at Princeton University — including DNS requests and responses; destination IP addresses and ports; hashed MAC addresses; aggregated traffic statistics; TLS client handshakes; and device manufacturers.

The tool has been designed not to track computers, tablets and smartphones by default, given the study focus on smart home gizmos. Users can also manually exclude individual smart devices from being tracked if they’re able to power them down during set up or by specifying their MAC address.

Up to 50 smart devices can be tracked on the network where IoT Inspector is running. Anyone with more than 50 devices is asked to contact the researchers to ask for an increase to that limit.

The project team has produced a video showing how to install the app on Mac:

Drones are great. But they are also flying machines that can do lots of stupid and dangerous things. Like, for instance, fly over a major league baseball game packed with spectators. It happened at Fenway Park last night, and the FAA is not happy.

The illegal flight took place last night during a Red Sox-Blue Jays game at Fenway; the drone, a conspicuously white DJI Phantom, reportedly first showed up around 9:30 PM, coming and going over the next hour.

One of the many fans who shot a video of the drone, Chris O’Brien, told CBS Boston that “it would kind of drop fast then go back up then drop and spin. It was getting really low and close to the players. At one point it was getting really low and I was wondering are they going to pause the game and whatever, but they never did.

Places where flying is regularly prohibited, like airports and major landmarks like stadiums, often have no-fly rules baked into the GPS systems of drones — and that’s the case with DJI. In a statement, however, the company said that “whoever flew this drone over the stadium apparently overrode our geofencing system and deliberately violated the FAA temporary flight restriction in place over the game.”

The FAA said that it (and Boston PD) is investigating both to local news and in a tweet explaining why it is illegal.

That’s three nautical miles, which is quite a distance, covering much of central Boston. You don’t really take chances when there are tens of thousands of people all gathered in one spot on a regular basis like that. Drones open up some pretty ugly security scenarios.

Of course, this wasn’t a mile and a half from Fenway, which might have earned a slap on the wrist, but directly over the park, which as the FAA notes above could lead to hundreds of thousands in fines and actual prison time. It’s not hard to imagine why: If that drone had lost power or caught a gust (or been hit by a fly ball, at that altitude), it could have hurt or killed someone in the crowd.

It’s especially concerning when the FAA is working on establishing new rules for both hobby and professional drone use. You should leave a comment there if you feel strongly about this, by the way.

Here’s hoping they catch the idiot who did this. It just goes to show that you can’t trust people to follow the rules, even when they’re coded into a craft’s OS. It’s things like this that make mandatory registration of drones sound like a pretty good idea.

(Red Sox won, by the way. But the season’s off to a rough start.)

A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers, TechCrunch has learned.

The hackers breached three sites associated with the FBI National Academy Association, a coalition of different chapters across the U.S. promoting law enforcement leadership and training. The hackers exploited flaws on at least three of the organization’s chapter websites — which we’re not naming — and downloaded the contents of each web server.

The hackers then put the data up for download on their own website, which we’re also not naming nor linking to the site given the sensitivity of the data.

The spreadsheets contained about 4,000 unique records after duplicates, including member names, email addresses, job titles, phone numbers and their postal addresses. The FBINAA could not be reached for comment outside of business hours. If we hear back, we’ll update.

TechCrunch spoke to one of the hackers, who didn’t identify his or her name, through an encrypted chat late Friday.

“We hacked more than 1,000 sites,” said the hacker. “Now we are structuring all the data, and soon they will be sold. I think something else will publish from the list of hacked government sites.” We asked if the hacker was worried that the files they put up for download would put federal agents and law enforcement at risk. “Probably, yes,” the hacker said.

The hacker claimed to have “over a million data” [sic] on employees across several U.S. federal agencies and public service organizations.

It’s not uncommon for data to be stolen and sold in hacker forums and in marketplaces on the dark web, but the hackers said they would offer the data for free to show that they had something “interesting.”

Unprompted, the hacker sent a link to another FBINAA chapter website they claimed to have hacked. When we opened the page in a Tor browser session, the website had been defaced — prominently displaying a screenshot of the encrypted chat moments earlier.

The hacker — one of more than ten, they said — used public exploits, indicating that many of the websites they hit weren’t up-to-date and had outdated plugins.

In the encrypted chat, the hacker also provided evidence of other breached websites, including a subdomain belonging to manufacturing giant Foxconn. One of the links provided did not need a username or a password but revealed the back-end to a Lotus-based webmail system containing thousands of employee records, including email addresses and phone numbers.

Their end goal: “Experience and money,” the hacker said.

In China, the laws limit work to 44 hours a week and require overtime pay for anything above that. But many aren’t following the rules, and a rare online movement puts a spotlight on extended work hours in China’s booming tech sector. People from all corners of society have rallied in support for improvements to startup working conditions, while some warn of hurdles in a culture ingrained in the belief that more work leads to greater success.

In late March, anonymous activists introduced 996.ICU, a domain name that represents the grueling life of Chinese programmers: who work from 9 am to 9 pm, 6 days a week with the threat of ending up at ICU, a hospital’s intensive care unit. The site details local labor laws that explicitly prohibit overtime work without pay. The slogan “Developers’ lives matter” appears at the bottom in solemn silence.

A project called 996.ICU soon followed on GitHub, the Microsoft-owned code and tool sharing site. Programmers flocked to air their grievances, compiling a list of Chinese companies that reportedly practice 996 working. Among them were major names like e-commerce leaders Alibaba, JD.com and Pinduoduo, as well as telecoms equipment maker Huawei and Bytedance, the parent company of the red-hot short video app TikTok.

In an email response to TechCrunch, JD claimed it doesn’t force employees to work overtime.

“JD.com is a competitive workplace that rewards initiative and hard work, which is consistent with our entrepreneurial roots. We’re getting back to those roots as we seek, develop and reward staff who share the same hunger and values,” the spokesperson said.

Alibaba declined to comment on the GitHub movement, although founder Jack Ma shared on Weibo Friday his view on the 996 regime.

“No companies should or can force employees into working 996,” wrote Ma. “But young people need to understand that happiness comes from hard work. I don’t defend 996, but I pay my respect to hard workers!”

Photo source: Jack Ma via Weibo

Bytedance declined to comment on whether its employees work 996. We contacted Huawei but had not heard back from the company at the time of writing.

996.ICU rapidly rocketed to be the most-starred project on GitHub, which claims to be the world’s largest host of source codes. The protest certainly turned heads among tech bosses as China-based users soon noticed a number of browsers owned by companies practicing 996 had restricted access to the webpage.

The 996 dilemma

The 996 list is far from exhaustive as it comprises of voluntary entries from GitHub users. It’s also hard to nail down the average work hours at a firm, especially a behemoth with tens of thousands of employees where policies can differ across departments. For instance, it’s widely acknowledged that developers work longer than their peers in other units. Anecdotally, TechCrunch has heard that bosses in some organizations often find ways to exploit loopholes, such as setting unrealistic KPIs without explicitly writing 996 into employee contracts.

“While our company doesn’t force us into 996, sometimes, poor planning from upper management forces us to work long hours to meet arbitrary management deadlines,” a Beijing-based engineer at a professional networking site told TechCrunch. This person is one of many sources who spoke anonymously because they are not authorized to speak to media.

BEIJING, CHINA APRIL 25, 2018: Passenger on a train in the Beijing Subway. Donat Sorokin/TASS (Photo by Donat SorokinTASS via Getty Images)

Other companies are more vocal about 996, taking pride in their excessively diligent culture. Youzan, the Tencent-backed, Shopify -like e-commerce solution provider, explicitly demanded staff to live out 996 work styles. Employees subsequently filed complaints in January to local labor authorities, which were said to have launched an investigation into Youzan.

A lot of companies are like Youzan, which equates long hours of work with success. That mindset can easily lure programmers or other staff into accepting extra work time. But employees are hardly the only ones burning out as entrepreneurs are under even greater pressure to grow the business they build from scratch.

“The recent debate over 996 brings to light the intense competition in China’s tech industry. To survive, startups and large companies have no choice but to work extremely hard. Some renown entrepreneurs even work over 100 hours a week,” Jake Xie, vice president of investment at China Growth Capital, an early-stage venture fund, told TechCrunch.

“Overtime is a norm at many internet companies. If we don’t work more, we fall behind,” said a founder of a Shenzhen-based mobile game developing startup. Competition is particularly cut-throat in China’s mobile gaming sector, where creativity is in short supply and a popular shortcut to success is knocking off an already viral title. Speed, therefore, is all it matters.

Meanwhile, a high-performing culture brewing in China may neutralize society’s resistance to 996. Driven individuals band together at gyms and yoga studios to sweat off stress. Getting group dinners before returning to work every night becomes essential to one’s social life, especially for those that don’t yet have children.

Photo source: Jack Ma via Weibo

“There is a belief that more hours equals more learning. I think some percentage of people want to put in more hours, and that percentage is highest for 22 to 30 years old,” a Shanghai-based executive at a tech company told TechCrunch. “A few people in my team have expressed to us that they feel they cannot grow as fast as their friends who are working at companies that practice 996.”

“If you don’t work 996 when you’re young, when will you?” Wrote 54-year-old Jack Ma in his Weibo post. “To this day, I’m definitely working 12 to 12, let alone 996… Not everyone practicing 996 has the chance to do things that are valuable and meaningful with a sense of achievement. So I think it’s a blessing for the BATs of China to be able to work 996.”

(BAT is short for Baidu, Alibaba and Tencent for their digital dominance in China, akin to FANNG in the west.)

Demanding hours are certainly not unique to the tech industry. Media and literature have long documented the strenuous work conditions in China’s manufacturing sector. Neighboring Japan is plagued by karoshi or “death from overwork” among its salarymen and Korean companies are also known for imposing back-breaking hours on workers, compelling the government to step in.

Attempts to change

Despite those apparent blocks, the anti-996 movement has garnered domestic attention. The trending topic “996ICU gets blocked by large companies” has generated nearly 2,000 posts and 6.3 million views on Weibo. China’s state-run broadcaster CCTV chronicled the incident and accused overtime work of causing “substantial physical and psychological consequences” in employees. Outside China, Python creator Guido van Rossum raised awareness about China’s 996 work routine in a tweet and on a forum.

“Can we do something for 996 programmers in China?” He wrote in a thread viewed 16,700 times.

The 996 campaign that began as a verbal outcry soon led to material acts. Shanghai-based lawyer Katt Gu and startup founder Suji Yan, who say they aren’t involved in the 996.ICU project, put forward an Anti-996 License that would keep companies in violation of domestic or global labor laws from using its open source software.

But some cautioned the restriction may undermine the spirit of open source, which denotes that a piece of software is distributed free and the source code undergirding it is accessible to others so they can study, share and modify the creator’s work.

“I strongly oppose and condemn 996, but at the same time I disagree with adding discretionary clauses to an open source project or using an open source project for the political game,” You Yuxi, creator of open-source project Vue, which was released under the MIT license, said on the Chinese equivalent to Twitter, Weibo. (Gu denies her project has any “political factors.”)

Others take a less aggressive approach, applauding companies that embrace the more humane schedule of “9 am to 5 pm for 5 days a week” via the “995.WLB” GitHub project. (WLB is short for “work-life balance.”) On this list are companies like Douban, the book and film review site famous for its “slow” growth but enduring popularity with China’s self-proclaimed hippies. WeWork, the workplace service provider that bills itself as showing respect for employees’ lives outside work, was also nominated.

While many nominees on the 996 list appear to be commercially successful, others point to a selection bias in the notion that more work bears greater fruit.

“If a company is large enough and are revealed to be practicing 996, the issue gets more attention. Take Youzan and JD for example,” a Shanghai-based developer at an enterprise software startup told TechCrunch.

“Conversely, a lot of companies that do practice 996 but have not been commercially successful are overlooked. There is no sufficient evidence that shows a company’s growth is linked to 996… What bosses should evaluate is productivity, not hours.”

Or, as some may suggest, managers should get better at incentivizing employees rather than blindingly asking for more hours.

“As long as [China’s] economy doesn’t stall, it may be hard to stop 996 from happening. This is not a problem of the individual. It’s an economic problem. What we can do is offering more humane care and inspiring workers to reflect, ‘Am I working at free will and with passion?’ instead of looking at their work hours,” suggested Xie of China Growth Capital.

While a push towards more disciplined work hours may be slow to come, experts have suggested another area where workers can strive for better treatment.

“It seems almost all startups in China underfund the social security or housing fund especially when they are young, that is, before series A or even series B financing,” Benjamin Qiu, partner at law firm Loeb & Loeb LLP, explained to TechCrunch.

“Compared to 996, the employees have an even stronger legal claim on the above since it violates regulations and financially hurts the employee. That said, the official social credit and housing fund requirement in China appears to be an undue burden on the employer compared to the Silicon Valley, but if complied with, it could be understood as an offset of the 996 culture.”

A number of my interviewees spoke on conditions of anonymity, not because their companies promote 996 but, curiously, because their employers don’t want to become ensnarled in the 996 discussions. “We don’t need to tell people we support work-life balance. We show it with action,” said a spokesperson for one company.

Hundreds of billions of dollars in venture capital went into tech startups last year, topping off huge growth this decade. Here at DocSend, we’re seeing the downstream effects in our data: investors who receive DocSend links are reviewing more pitch decks than ever, as more people build companies and try to get a slice of the funding opportunities.

So it stands to reason that making your pitch deck stand out is critical to raising a round. But how do you do that in such a competitive landscape?

After analyzing both successful and failed fundraising pitch decks, we’ve learned that storytelling matters and this hasn’t changed over the last few years. This makes intuitive sense — who doesn’t love a good story?

But does telling a story help founders raise capital successfully? And more importantly, do you fail to fundraise if you don’t tell a story? In this post, I’m going to share some hard evidence.

It follows up on my post over on TechCrunch, looking at three big mistakes we see in failed pitch decks.

Before we start diving into the data, here’s why we know: our document sharing and tracking platform is used every day by thousands of startups to share their decks securely with investors, with visits to pitch decks shared via DocSend having grown 4x from 2017 to 2018. Controlling for DocSend’s growth, we estimate that investors are viewing 35% more decks in 2018 than they did in 2017.

In total, over 100,000 users have shared over 2.2 million links through DocSend since we launched in 2014, and these documents have received over 220 million views; while we’ve grown quickly among sales, business development and customer success teams, startup pitch decks have continued to be a popular use-case. We’ve also been analyzing the pitch data in a collaboration with Harvard Business School since 2015, so we’re experienced at analyzing and interpreting this data.

First impressions stick

The old adage “you only get one chance to make a first impression” is true when it comes to pitch decks, and in fact that was the case for our company’s own fundraising process. When I pitched DocSend for our seed round, I knew what we were up against — why will this be a big business? And, why won’t Google build this? Our product was still in private beta, and we had no revenue. However, we had an MVP and those who were using our product, including our potential investors, found the product to be very useful.

Fundraising has always been something of a black box. High-flying companies make it seem like a breeze, but most entrepreneurs lose sleep over it. My first startup was called Pursuit.com and although we successfully raised a seed round, it was incredibly tough (we were eventually aqui-hired by Facebook). DocSend is my second startup, and it has taught me a lot about the process — not only because of our own fundraising, but because the product itself reveals big pitching trends in a unique way.

Since 2014, over 100,000 users have shared over 2.2 million links through our document tracking and sharing platform, and these documents have received over 220 million views. Thousands of founders share their funding decks with prospective investors every day, in addition to our product’s other uses for sales, business development and customer success. To get insights about all this activity, we have a long-running partnership with Harvard Business School, where we’ve been analyzing the anonymized fundraising data of startups attempting to raise a Seed or an A round.

We shared our early learnings in a TechCrunch article in 2015, Lessons from a study of perfect pitch decks. In this post, I’ll update our findings based on the last four years of data (and a lot of user growth on our side).

So what differentiates a winning seed round pitch deck from those that fail to raise capital? While both successful and failed pitch decks are about the same length, an average of 18 pages, how the content is structured is vastly different. And while investors spend the same amount of time on both, 3.7 minutes on average, where they spend time tells us a lot about what successful pitches and failed pitches have in common. Below, I detail three mistakes that you want to avoid.

If you want to check out more details on what you should do in your deck, read my follow-up article “Data tells us that investors love a good story” over on Extra Crunch.

Mistake 1: Don’t start with your product

It’s very tempting, especially for technical founders, to start pitch decks with how incredible their product is, how much time they’ve spent building it, their unique tech stack, and how convinced they are that they have just the right MVP for launch. But guess what?

All failed pitch decks start with the product. Investors spend 4x more time on product slides in failed pitch decks than they do in successful pitch decks.

You might think that’s a good thing. More time on my product slides, right? No. Data tells us that they are probably digging into the details trying to map your product‘s value to the current market needs and they are not coming away with a clear connection between the two.

Your target investors are also not your target customer. Showing screenshots and product details are just confusing for them. What are they looking at? Why does this matter? Most products are capable of being built; the question they are trying to answer is why is this product going to create a big business?

Image via DocSend

Mistake 2: Not starting with the “Why?”

By now Simon Sinek has beaten this one into our collective brains with his start with the why Ted Talk and yet what we see in our data is that in failed decks, the “why now” and “why you” question has been left to the end. Successful pitches start with their company purpose, followed by why this team, and why the timing is right for this particular product.

All successful pitch decks start with the company’s purpose, their raison d’être.

In successful decks, investors spend 27 seconds on an average on “why now” and “why you” slides but in failed decks, they spend 62 seconds on these slides. We read this as investors are spending more time researching your team and your capabilities than they do with successful pitch decks. More time spent on these pages means that investors are not as convinced about this venture as the entrepreneur would like them to be. Entrepreneurs should focus on making their “why” slides part of a seamless narrative that leaves the investors wondering why this isn’t already a huge business.

Image via DocSend

Mistake 3: Not telling a story

Everyone loves a good story and investors are no exception to this rule. All successful pitch decks tell a compelling story and follow a similar narrative thread. They start with the company purpose, the big problem they are trying to solve, why now is the right time, and why they are the right team to solve it. Failed pitch decks start with the product, followed by business model, and competitive landscape. Successful decks cover these too but they invariably follow a narrative that makes intuitive sense while in failed decks there is no compelling narrative.

In failed decks, investors spend more time on product, team, and financials, 6 minutes on average, vs. 2 minutes in successful decks.

Successful decks also get more repeat visits, they are visited 2.3 times more than failed decks and are forwarded along more often than failed pitch decks.

Image via DocSend

Your purpose is more important than your product

In the early days, entrepreneurs spend most of their time conceiving and building their minimum viable product (MVP). Naturally, they feel compelled to pitch this to investors. Although unintuitive, data suggests that you should restrain yourself from talking about your product before you have painted a narrative about the business opportunity: why now and why you. Once investors are convinced of those key points, by all means, go through all the product details and roadmaps. Just don’t lead with your product.

This is the first of a series of articles about fundraising. My followup article now available on Extra Crunch reveals what our data shows you should do with your deck. In future installments, I’ll be sharing more about the difference between Seed, Series A, and Series B rounds as well as how fundraising challenges change as your company grows. For the next post, I’ll be writing about why some pitch decks raise way more money than others. In the meantime, have questions about the best way to raise money? Check out our blog or reach out to us on Twitter at: @rheddleston or @docsend.

2018 was by all means a very rough year for Facebook . The company, which spent the year reeling from the Cambridge Analytica scandal and a general bubbling-up of public anger, also had to deal with animosity towards the company’s founder and gave the executive a lot of cash to handle a full security detail for himself and his family.

While Facebook CEO Mark Zuckerberg takes a $1 annual salary and does not earn an annual bonus, he gets millions in “other compensation” largely related to security costs. In an SEC document published this afternoon, the company reveals that Zuckerberg earned more than $22 million in “other compensation” in 2018, up from more than $9 million in 2017.

About $2.6 million of the 2018 figure is compensation for Zuckerberg’s personal travel on a private jet, but nearly $20 million of that figure is related to Zuckerberg’s personal security costs.

He was awarded $9,956,847 in pre-tax 2018 income for security related to his personal travel and residential protection. Additionally the company game him another pre-tax allowance of $10 million to cover “additional costs” related to him and his family’s personal security. This all amounts to an amount that nearly triples the costs of personal protection he had in 2017.

“Because of the high visibility of our company, our compensation & governance committee has authorized an ‘overall security program’ for Mr. Zuckerberg to address safety concerns due to specific threats to his safety arising directly as a result of his position as our founder, CEO, Chairman, and controlling stockholder,” the company document reads.

Personal security program compensation was also given to Facebook COO Sheryl Sandberg who earned $3.8 million in “other compensation” in 2018, $2.9 million of which was for her personal security costs.

The Los Angeles startup scene has come a long way in the three-and-a-half years since Marlon Nichols, Troy Carter and Trevor Thomas launched Cross Culture Ventures. The city and its surrounding Orange County exurbs were at the beginning of a venture capital surge that has seen invested capital in the region rise from $3.63 billion in 2015 to $6 billion last year.

Since Cross Culture landed on the Los Angeles scene with a $50 million fund, Nichols and his partners have notched three exits and seen the paper value of the fund’s portfolio grow by an aggregate of 2,085%, according to people with knowledge of the firm.

And Nichols and his partners have done it by backing one of the most diverse pools of startup founders in any firm’s portfolio.

The road to Cross Culture

The path from growing up in one of the towns on the outer edges of New York to the center of Los Angeles’s burgeoning venture capital industry wasn’t a straight line for Nichols (unlike many other venture investors). Cross Culture’s architect had to make his own way through the tech ranks after college, through a professional career in Europe, then back to business school before finally landing an opportunity with Intel Capital.

His father had worked as a train engineer in Jamaica and relocated the family to New York where his mother worked as a housekeeper before getting her beautician license and opening her own shop. The couple had moved from Jamaica two years before Nichols would take the trip himself — time he spent living with his aunt and grandmother.

Marlon Nichols, co-founder and managing partner, Cross Culture Ventures

Growing up in Mt. Vernon, NY, just north of the Bronx where he’d moved with his parents, Nichols had always expressed an interest in technology. He’d been playing around with computers ever since his parents bought him a Commodore 64.

The first person to attend college in his family, Nichols transferred to Northeastern’s newly developed major in Management Information Systems after starting out in architecture. College gave Nichols his first exposure to life in Silicon Valley as well. Northeastern had an internship program which sent students out of Boston to try their hands in the business world — and Nichols was placed at Hewlett Packard in Cupertino, Calif.

He’d intended to move out to Silicon Valley after graduation, but instead took a job in the Boston offices of Frictionless Commerce — and it was there that Nichols first confronted the constraints that the city’s lack of diversity could mean.

“In Boston there was definitely a racial undertone,” says Nichols. “Going out as a professional… you weren’t treated well.”

He took the opportunity to move to London when it was presented and spent a few years there — playing semi-professional basketball in the evenings and working for Frictionless Commerce during the day.

After the company’s acquisition by SAP in 2006, Nichols consulted at the Blackstone Group and Warner Media. “In those rooms I was again the only one [who was a minority],” he says. “I started getting annoyed by it and started thinking about it a little bit more — I thought about education and opportunities and just knowing that there’s even an opportunity out there for this career path.”

So Nichols created a nonprofit that would help inner city students get into colleges. “I never had an SAT prep-course,” says Nichols. “I didn’t have anyone coaching me.”

The program helped students start to think about applying to Cornell, Vassar and Penn, when they were initially thinking about City University in New York.

As the non-profit took off, Nichols returned to school — Cornell University on a full scholarship to its business school.

“When I started going through that process I saw even fewer of the folks that looked like me,” Nichols recalls.

From Cornell, where Nichols ran the University’s venture capital fund, he was recruited to Intel Corp as part of a management training program. Although Nichols was supposed to rotate through three different business divisions at Intel, once he was placed in Intel Capital he advocated to stay there.

And it was there that he was able to bring his passion for creating opportunities for under-represented minorities and women to an industry that sorely needed it.

It was around the time that the diversity numbers at big technology companies were generating more criticism. Long held as an island of meritocracy in a sea of industries that were rife with sexism, racism and nepotism. When Tracy Chou called for reporting on diversity numbers in 2013, Nichols saw a repeating pattern that perhaps he could do something about at Intel.

Alongside Lisa Lambert, a managing director in Intel Capital’s software and services group, Nichols, who’d been in the new user experience group at Intel Capital, advocated for the creation of a diversity fund at Intel.

“We thought that there’s got to be a way that the folks in charge of deploying capital can be involved in diversity,” Nichols says of the creation of the fund. “Diversity was front and center and then it goes away and then it’s front and center again… There had to be something that could be done from a venture perspective.”

While the diversity fund had no problem finding companies to invest in, these companies were having trouble when they sought additional capital in subsequent rounds, said Nichols.

“I saw that some of the companies — after receiving the funding — were having trouble being viewed as a high-class company which had raised money from one of the largest institutional investors in the world,” says Nichols.

The problem, as Nichols sees it, is that these companies were solving global problems for a broad base of consumers, but their perceived financing as a “diversity” play was an obstacle to their future success.

“I was like, all right… I’m not going to put this tag on their back that would make it difficult for them to raise capital in the future,” Nichols says. “Instead I’m going to look at culture from a global perspective and try to identify emerging trends — if we are successful in doing that — and can be successful in picking trends — I’m going to get a high number of diverse entrepreneurs solving problems for the 99%.”

Chart courtesy of PWC Moneytree/CB Insights

Cross Culture and the Los Angeles opportunity

By the time Nichols was ready to form Cross Culture, other obstacles had emerged at the Intel fund. The focus on diversity had predominantly settled on trying to address venture’s gender problem to the exclusion of other representation issues that Nichols thought the firm had to deal with: race and ethnicity.

In addition, many of the entrepreneurs solving problems in billion-dollar industries that Nichols identified didn’t fall within the Intel mandate. The corporate investor had to back companies that aligned with its strategic vision — something of a challenge when advocating for investments in consumer-focused beauty products for the African American community (for instance).

So, after a stint in the Kauffman Fellows program, Nichols came away with a desire to strike out on his own with the help of a few anchor investors (like Freada Kapor Klein). Klein introduced Nichols to Troy Carter of Atom Factory as another potential investor in the fund.

“I flew down to L.A. and I sat with Troy… we talked for two hours and we really got along and… at the end of the meeting he said, ‘Good to meet you, but I’m not going to invest in your fund.'”

Two weeks after that initial rejection, Nichols got another call from Carter — instead of investing, the music impresario suggested a partnership. With Carter on board as founding partner, the two began laying the groundwork for the fund that would close on its first capital within the next year.

SAN FRANCISCO, CA – SEPTEMBER 23: Troy Carter of Atom Factory speaks onstage during TechCrunch Disrupt SF 2015 at Pier 70 on September 23, 2015 in San Francisco, California. (Photo by Steve Jennings/Getty Images for TechCrunch)

Cross Culture has built a portfolio where 72% of the founders are white women and women and men of color. It’s the only firm to back several African American founders that have gone on to raise significant capital in their A or B rounds, including Blavity, PlayVS, Mayvenn and WonderSchool.

The firm has also already enjoyed some success from early exits.

Gimlet, the podcasting company that Cross Culture backed at a $36 million post-money valuation, sold to Spotify for approximately $230 million. The firm’s other exits include MessageYes, which was sold to Nordstrom, and Skurt, which was acquired by Fair in February of last year.

Nichols has been instrumental in getting the firm in front of fast-growing companies like Airspace Technologies, a provider of on-demand logistics services; PlayVS, the company bringing esports to high schools around the country; and the new mobility company revolutionizing rental cars, Fair. These companies have all seen their value jump in recent months.

After Cross Culture was given the opportunity to invest in Fair through the Skurt acquisition, Fair’s valuation increased by 150% when SoftBank added another $385 million in financing to the rental car company. Airspace’s valuation saw a 733% increase in less than 8 months when Scale Venture Partners led the company’s $20 million Series B (at a valuation over $100 million) and PlayVS saw its value increase by 329% in the six months since Cross Culture invested, according to a person familiar with the fund’s portfolio.

Diishan Imira, the chief executive of Mayvenn, recently raised $23 million for his business selling hair extensions and beauty products to the African American community, up from the $10 million the company had closed when Cross Culture invested as part of the startup’s Series A.

Mayvenn was Cross Culture’s first investment and is a testament to the longterm relationship building behind much of Nichols’ work in the venture community.

“Kirk Collins put together a group of four or five people to get together for me to pitch to and for me to get some money. Marlon was one of the people there… and me and Marlon argued the entire time,” Imira says of that first meeting with Nichols. “We argued for 30 minutes and nothing came of it. But we kept in touch. He always offered advice or support here and there. He kept tracking us. And then… prior to our whole Series A… he had just started Cross Culture. I was like ‘Yo man, I want you guys to come in.”

Meanwhile, the problem of representation in venture capital was not improving, as the rest of the venture capital industry is failing to keep pace. Only 1% of founders of startup companies receiving venture capital backing are African American, and only 1.8% of founders are Latinx, according to data from RateMyInvestor and Diversity VC.

Nichols sees a potential to reverse those trends by focusing on cities and investing in ecosystems that have been historically ignored by venture capital’s white shoe firms and traditional rainmakers.

“We had an office in Palo Alto and an office down here in Culver City,” Nichols recalled. “For the first two years I would come down every other week and Troy would come up every other week. [But] coming down here I could see there was something happening that I hadn’t seen before. Unlike in the Bay Area, I was seeing things being created for a greater percentage of the population.”

Fueled by exits in Dollar Shave Club, Snap, and Oculus more capital was coming in to the ecosystem to back a more diverse group of founders who’d proven they could find success south of the Bay Area.

“Most of the things that are coming out of the Valley these days are meant to be used by people in the Valley as opposed to people in the Bronx, or Queens or Baltimore,” says Nichols. “This is the time to be here. If you are going to invest in the companies of tomorrow you have to go where the world is moving to — and that’s black and brown, honestly.”

The census supports Nichols’ assessment. By 2044 the United States will see a majority minority population, and the next generation of consumers is already showing its preferences. Companies like Ipsy, founded by Michelle Phan, is a billion-dollar beauty business built by a minority founder, or Pat McGrath Labs, another billion-dollar makeup brand launched by make-up artists Pat McGrath, which raised $60 million from Eurazeo Brands.

Cross Culture isn’t just sitting in Los Angeles waiting to find these companies. Nichols and his firm are taking the opportunity on the road. He spent a month in Miami meeting with entrepreneurs and has organized a series of “Culture and Code” events in Detroit and Atlanta to get exposure to startups in those cities as well. Nichols describes them as pop-ups to meet entrepreneurs and investors in those communities.

For Cross Culture, the decision to travel to these urban hubs far from technology’s traditional perch in Silicon Valley is simply an extension of the firm’s broader vision.

“Only 2% of venture capital is black and Latinx and .002 is black women. Part of that is that young folks that look like me don’t know what venture capital is,” says Nichols. “It was kind of eye-opening in the sense of how a good portion of our population thinks about these demographics and what they’re capable of and it was very sad.”

Now, as Cross Culture is mostly deployed the firm needs to make a decision about its future. There’s the potential that Cross Culture could go out for another $50 million to $100 million, or, potentially raise a larger new vehicle.

To date, the firm’s average investment size has been roughly $250,000 into the the 34 companies that the firm has backed so far.

For Nichols, the success of these companies is an imperative. Not just to make money, or to prove out his thesis, but because of what failure would mean for other firms that take a broad approach to their investment thesis trying to back the best founders — no matter their background. Nichols believes it’s important for the venture industry, for the economy, and for the broader society.

“There is no way I can fail at this,” Nichols says. “I have to win.”