How Blippy users' credit cards got into Google

Google didn't put the credit card numbers of four Blippy users on the Internet, but its search technology failed to detect that Blippy had fixed a problem in February.

Tom Krazit Former Staff writer, CNET News
Tom Krazit writes about the ever-expanding world of Google, as the most prominent company on the Internet defends its search juggernaut while expanding into nearly anything it thinks possible. He has previously written about Apple, the traditional PC industry, and chip companies. E-mail Tom.
Tom Krazit
3 min read
After Blippy exposed credit card numbers in early February, Google's search crawlers failed to detect that it had scrubbed its site.

A series of gaffes at Blippy, Google, and a Midwest bank exposed the credit card numbers of four individuals within Google search results for more than two months.

Friday was easily the worst day in the history of Blippy, a young start-up that enables people to create social networks around sharing information on goods and services they buy. VentureBeat discovered that credit card numbers of four Blippy users could be found in Google's search index, and it published its findings in a story, forcing the start-up's three founders to scramble to repair the damage and get the numbers removed from Google's search index.

Blippy acknowledged that it should not have exposed raw data containing credit card numbers to the Internet in February, when it was working on the site. But Google confirmed that its search bots should have noticed that Blippy had removed that raw data promptly when its crawling technology made its next pass across Blippy's site, which may have never happened.

A Google representative said the company was looking into why its technology did not update its cache of Blippy's pages for more than two months, declining to comment further.

The problem began when Blippy made a few changes to its Web site code in early February, inadvertently exposing the raw data that banks send to the service when a credit card user makes a purchase. That data usually includes innocuous data such as time, date, amount, and location of the purchase, and Blippy realized that it needed to scrub that data from its site when it discovered that confirmation numbers for airline tickets were exposed.

But it did not realize in February that one particular bank, Fifth Third Bank, based in Cincinnati, also sent the actual credit card numbers of its users along with that purchase data. Blippy co-founder and CEO Ashvin Kumar said Blippy had no idea that this data had been exposed until Friday morning. He said no other bank used with the Blippy service appeared to send credit card numbers along with the rest of the data.

Two of the Blippy users affected by the breach--Ryan Alcott of Benton Harbor, Mich., and Bradd Dantuma of Grand Rapids, Mich.--confirmed that they were Fifth Third customers. A Fifth Third representative did not return a call seeking comment Friday.

Credit card numbers were exposed on Google via Blippy.
The credit card numbers of four Blippy users were available to anyone on the Internet for more than two months. Screenshot by Elinor Mills/CNET

After they saw the VentureBeat story, Blippy executives attempted to remove the data from Google via its Webmaster tools, but they reached out directly to the search giant after realizing that a media frenzy had begun. Google purged the information around 11:20 a.m. PDT Friday, it said.

Many who learned of the incident were probably more surprised that something like this hadn't happened sooner, given the skepticism of many about Internet privacy, security, and the wisdom of sharing your economic activity with the world.

Kumar thanked Google for its prompt response Friday morning and willingness to admit that something went wrong with its crawling technology. The card numbers were not visible on Yahoo or Bing on Friday morning using the same type of search that produced the numbers on Google.

Still, "we have to plan for the worst-case scenario," Kumar said. Google provides tools to Webmasters that allow them to flag content that was mistakenly published, and had Blippy taken advantage of those tools in February, the world would have likely never learned of the data breach.

The incident was especially painful for Blippy, given that a New York Times profile of the company appeared Friday morning, highlighting the growth of start-ups like Blippy that are designed to share personal information with the world. And the "worst-case scenario" is probably yet to come: although Alcott was willing to sign up for the service again Friday evening, after Blippy had initially removed his account in hopes of preventing any further breaches, he said, "I'm thinking about talking to a lawyer."

Updated 11:25 p.m. PDT: Late Friday, Google asked to clarify its position on indexing and inadvertantly posted content. "While we always want to serve our users with the freshest possible information, fundamentally it is webmasters' responsibility to request removal from our cache when they make a mistake," the company said in a statement.