Blippy’s nightmare scenario of having its users’ credit or debit card numbers exposed – in a limited number of Google searches so far – is not over, a co-founder said today, after yesterday’s reported inadvertent search-engine breach of four accounts.
A fifth user’s information was discovered in search results today, apparently from the January-February time period. And now Blippy is saying that a “very small subset” of users have the potential of having their information come up in searches.
Blippy, a Twitter-style social network that went live in January, said it is working with Google to purge “all sensitive information from their cache.”
“Doing a deep dive into our data from January/February today,” reported Blippy on its Twitter page, at about 1 p.m. Eastern time. “Unclear if that data still exists in google cache, but we’re going to verify.”
Shortly after 5 p.m., Eastern time, Blippy Tweeted the following: “Props to Google for acting fast this morning & removing their cache of Blippy at our request. Hopefully that’s that, will keep you updated.”
Those who sign onto Blippy agree to link up an existing credit or debit card to the service, which automatically posts the retail store source, an item description and the price. The user can add a comment, and draw responses from others.
Over the past several months, Blippy co-founder Philip Kaplan has deflected strong criticism from Internet safety experts on the site’s potential to fuel phishing emails that could be constructed from the information made available.
Apparently Blippy did not foresee an inadvertent indexing breach on the part of Google. It is not clear if other search engines have done the same.
“To date, we’ve discovered one additional credit card number and have reached out to the owner. And while we don’t anticipate anyone else to be affected, we’re continuing our investigation with urgency,” said Ashvin Kumar, Blippy co-founder, in a blog post from earlier today.
But Kumar added that “a very small subset of our users have the potential to be affected by this incident.” To be affected, ALL of the following must be true, according to Kumar:
- The user had to sign up for Blippy prior to February 3rd, 2010.
- The user had to link a credit or debit card account to Blippy.
- The user had a public account on Blippy.
- The user’s bank must include credit card numbers in the line-item purchases on their credit card statement. For example: Instead of the usual statement showing “Quiznos,” the bank statement would list something similar to “Quiznos from card number 4444…..” Today date, Blippy said it has found only 2 banks that do this, and no major banks.
- The Google cache for a purchase on Blippy from that credit card must not have been updated since early February 2010.
“We have asked Google to re-index the entire Blippy website, or at the least remove Blippy from their cache,” Kumar said.
Yesterday, co-founder Kaplan reminded Blippy users that “you’re never responsible if someone uses your credit card without your permission.”
“That’s why it’s okay to hand your credit card over to waiters, store clerks, e-commerce sites, and hundreds of other people who all have access to your credit card numbers,” Kaplan said. “Still, this should have never happened and we take responsibility.”
Blippy users who do not feel comfortable with what is unfolding can disable their account. They should verify that all charges are valid on their Blippy-linked card, and contact the credit card company if there is anything out of the ordinary with the account activity.