Blippy: "We Take Security Seriously"

After this morning’s revelation that Blippy.com — the site for people who think foursquare isn’t enough oversharing — had somehow leaked users’ credit card numbers to anyone with Google, the company wants everyone to know that the problem is not as big as it seems and, yes, they are taking it seriously.

From the NY Times:

In a phone interview Friday morning, Blippy’s co-founder, Philip Kaplan, said the card numbers in question belonged to four Blippy users. He explained that when people link their credit cards to Blippy, merchants pass along their raw transaction data – including some credit card numbers – and the site scrubs that information to present just the merchant and the dollar amount spent. But several months ago, when Blippy was being publicly tested, that raw transaction data was present in the site’s HTML code, where it was retrieved by Google.

And then over on Blippy’s official blog:

Here are the details:

* Say you buy lunch at Quiznos. Your credit card statement shows a complex entry like “Quiznos Inc Store #1234 San Francisco.” But Blippy cleans this up to only show “Quiznos.” We refer to these as the “raw data” vs the “cleaned up data.”

* Raw data is typically harmless. But it turns out that some credit cards (4 out of thousands in this case) show the credit card number in the raw data. For example, “Quiznos Inc Store #1234 from card 4444….”

* Many months ago when we were first building Blippy, some raw (not cleaned up, but typically harmless) data could be viewed in the HTML source of a Blippy web page. The average user would see nothing, but a determined person could see “raw” line items. Still, this was mostly harmless — stuff like store numbers and such. And it was all removed and fixed quickly.

* Enter Google’s cache. Turns out Google indexed some of this HTML, even though it wasn’t visible on the Blippy website. And exposed 4 credit card numbers (but a scary 196 search results).

* We’re working with Google now to remove Blippy from their cache, and they inform us it will be completed within a couple of hours.

Not once, but twice in their blog post does Blippy emphasize that they are “taking it seriously.”

Also, Blippy says that having your credit information splashed over the web to billions of people isn’t such a horrible thing. “You’re never responsible if someone uses your credit card without your permission,” they say. “That’s why it’s okay to hand your credit card over to waiters, store clerks, and hundreds of other people who all have access to your credit card numbers.”

We’d sure love to hear from some of the people whose card numbers have been seen by a few million people to see how they feel about this.

Blippy And Credit Card Numbers [Official Blippy Blog]
When Over-Sharing Leads to Problems [NY Times]