The tally of exposed credit card accounts is up to 8 for Blippy, the new Twitter-like social site that has been coping with a public relations crisis and a privacy breach that caused a wave of users to ask for their accounts to be deleted over the weekend.
Blippy said it could not confirm that all eight accounts were visible in search results over the past three months, but it reached out to the 8 individuals to “assist them in resolving any issue that may arise,” according to today’s update from Ashvin Kumar, Blippy co-founder and CEO.
Blippy, a recent recipient of $11.2 million in venture capital funds, will use the money to create a new security and privacy infrastructure. The site said it could not handle all the requests for account deletions, Kumar said.
“Blippy’s servers had been under increased load due to the media attention,” Kumar said. “This resulted in many failed requests to delete accounts because we had not invested sufficiently in making our account deletion process as programmatically efficient as it could be.”
Blippy users link up one of their credit or debit cards to the site, and transactions are made public on the site. But normally just a description of the item, the price and the retail source is posted.
During months of beta testing and through its live launch in January, Blippy co-founder Philip Kaplan had assured in media interviews that privacy controls were sufficient to prevent breaches of sensitive information – as Internet safety experts feared.
Kumar said the pages with the private account information have been deleted by Google, but the data – part of html code source – was at first incorrectly deemed as “fairly harmless raw data” by Blippy’s operators in February.
He said that Blippy also overlooked the possibility that this data could have been crawled by Google during the half-day period of the exposure. Google did just that, and the code included account numbers.
“While we are pleased that the sensitive data is no longer accessible via Google, it is important to acknowledge that there was a period of nearly 3 months during which this data was publicly accessible,” Kumar said.
Kumar gave more insight into the venture’s long, nightmarish weekend that started on an upbeat note with an overview cover story Friday on the social media site in the New York Times. “That didn’t last long,” he said, as online media outlets started reporting that credit card account numbers of Blippy users were showing up in Google search results.
At first four inadvertent account breaches were discovered, then a fifth. Today, Kumar said 8 in total were exposed for three months, covering about 200 URLs from the Blippy site.
“Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index,” Kumar said.
On Saturday, Blippy asked Google to remove “all snippets and cached pages” related to Blippy.
“This affected some 20,000 pages, much more than what was exposed, but more importantly it effectively removed any remaining sensitive information,” Kumar said.
Kumar listed the following steps that the start-up is taking:
- Hire a Chief Security Officer and staff that will focus solely on issues relating to information security.
- Have regular 3rd-party infrastructure and application security audits.
- Continue to invest in systems to aggressively filter out sensitive information.
- Control caching of information in search engines.
- Create a security and privacy center that contains information about what we are doing to protect you.