Blippy responds to credit card leak

After displaying credit card numbers of at least five people in Google search results, the social site pledges to hire a chief security officer and run regular audits.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

Blippy, a social site focused on shopping, has pledged to take measures to avoid a repeat of the security failure that caused the credit card numbers of at least five users to appear in Google search results.

CEO and co-founder Ashvin Kumar apologized for the incident in his official blog on Monday. He also promised to revamp the site's security measures.

Kumar said he will hire a chief security officer and other staff to focus solely on the issue and will conduct regular security audits through third-party companies. He also pledged to invest in technology to filter out sensitive data.

Kumar said that he will also look at ways to control information that's cached in Google and other search engines. In addition, Blippy will set up a security and privacy center on its site to update people on the company's efforts to secure their data.

Blippy, which enables people to create social networks that revolve around the goods and services they buy, discovered in early February that due to a failure on its end, raw credit card data had been viewable in the HTML source of its pages for about half a day. Although the company quickly removed that data, it learned Friday that Google had indexed the information and was still displaying it in search results.

The credit card numbers of Blippy users were available to anyone on the Internet for more than two months. Elinor Mills/CNET

Blippy spent Friday and early Saturday working with Google to completely remove the sensitive information, a process that Google reported was completed late Saturday morning. Blippy also contacted the owners of the credit cards to apologize and help them resolve any resulting problems on their end.

"They trusted us with their information, and we are truly disappointed to have let them down," Kumar said in the blog. "While these users reflect a tiny sliver of our user base, any number greater than zero is deeply unacceptable to us."

Kumar also invited other concerned Blippy users to weigh in on the matter and share their thoughts on the company's security, or lack thereof.

"If there are additional measures you would like us to take to improve Blippy's security," Kumar wrote, "please do not hesitate to e-mail us."