Twitter-Like Blippy Exposes Credit Card Numbers in Blunder

BlippyBlippy, the Twitter-like social media site that displays posts of users’ credit card purchases, inadvertently had the account numbers of four users come up on Google search results.
The site’s apologetic and embarrassed co-founder called it an “isolated” incident that stems from the site’s beta testing last year.
But Philip Kaplan concedes it seemed “scary” because the breaches of the four Blippy users’ account information came up on 196 search results that Blippy discovered today – only after media outlets reported the Google search results.
By about 4:30 p.m. Eastern time, Kaplan announced on Blippy’s Twitter page that Google had removed the credit card information from its cache.
“We take security seriously and want to assure Blippy users that this was an isolated incident from many months ago in our beta test, and doesn’t affect current users,” Kaplan said in a statement.
Kaplan apologized to the four people, who he said are being contacted.  Kaplan also spent a busy day assuring the news media that the incident was not a system-wide breach.
Blippy went live in January after months in its beta phase.
But even before today’s incident, it has drawn criticism from Internet security experts and privacy advocates. The critics say the site offers ammunition to identity thieves who can construct strategic phishing emails just from the information that is made public – without needing to hack into the site.
Kaplan explained that Google indexed some “raw data” from HTML source code months ago. The pages containing the information from the four users’ accounts had been deleted from the site, but remained visible in Google results after entering certain keywords.
Some tech and social media blogs reported the keyword combination earlier today, but Google later disabled those searches leading to the Blippy account numbers.
On its website, Blippy displays the retailer visited and items purchased by users who hook up a credit card to the service. There are privacy controls in place, but they are being reviewed after today’s discovery.
“We are hugely focused on security and are making efforts to bolster our security to ensure that nothing like this ever happens again,” Kaplan said on Blippy’s blog page.
Kaplan just announced a new infusion of venture capital of $11.2 million and “are using a significant amount of that to build a world-class secure infrastructure.”
“We are also conducting third-party security audits, and will be a lot more careful before new features are released, even if it’s during a small, limited beta test period,” Kaplan said. “While it looks super-scary and certainly sucks for the 4 people who were affected (to whom we apologize and are contacting), and is embarrassing to us, it’s a lot less bad than it looks.”

Leave a Reply

Your email address will not be published. Required fields are marked *