UPDATE: Blippy is taking this seriously.
Social networking site Blippy.com is exposing
reams 4 of its users’ credit card numbers to anyone who can use Google. Simply by typing a phrase into Google and specifying the results come from Blippy, page after page of results like DEBIT CARD PURCHASE AT DOMINO’S PIZZA #01, [redacted] MI ON 122109 FROM CARD#: 54243[redacted] appears.
For those of you unfamiliar with the service, Blippy lets users input their credit cards and share their purchases on the site and across other online social networks. Yeah, who would have ever thought that might go horribly wrong?
Blippy says they use “administrative, physical and electronic measures designed to protect your information from unauthorized access.” Whatever they are, they don’t seem to be working.
If you’re a Blippy user, there’s little you can do except complain. The Google has your data now and it will take some doing on Blippy’s part to get it down from there.
We’ve reached out to Blippy for comment.
UPDATE #2: Company response, says it’s just four users. Via phone, Blippy co-founder Ashvin Kumar told Consumerist, “Even if it’s just four users, it’s four users too many.”
Blippy is working with Google to clear the cache and the results should be gone within an hour, says Ashvin. The results are from four users whose data was included in the HTML code of a test page several months ago.
The data was scrubbed but Google, which keeps a copy or “cache” of every website it indexes, still showed the info. Blippy itself doesn’t even accept credit information, just bank information. However, the raw data provided by banks sometimes includes credit card numbers along with the transaction data. Blippy started scrubbing out this information a few months ago, but not before it got captured by Google.
UPDATE #1: Blippy co-founder Philp Kaplan gave comment to the Times:
In a phone interview Friday morning, Blippy’s co-founder, Philip Kaplan, said the card numbers in question belonged to four Blippy users. He explained that when people link their credit cards to Blippy, merchants pass along their raw transaction data – including some credit card numbers – and the site scrubs that information to present just the merchant and the dollar amount spent. But several months ago, when Blippy was being publicly tested, that raw transaction data was present in the site’s HTML code, where it was retrieved by Google.
Mr. Kaplan said that early on, Blippy started disguising the raw transaction data behind the scenes, but it did not know about the breach until today. He added, “This still looks pretty bad.”
Blippy Users’ Credit Card Numbers Exposed in Google Search Results [Mashable] (Thanks to Brian!)