Blippy users' credit card info exposed on Google

Credit card numbers of the social shopping site's users were found in nearly 130 Google search results for "Blippy" and "from card," according to a VentureBeat report.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
2 min read
Credit card numbers for Blippy users as seen in Google search results. CNET/Google

People who use Blippy want to share information with friends about their online purchases, but some users found that the site was sharing a lot more than their purchases with a lot more than just their friends.

Credit card numbers for four Blippy users were found in Google search on Friday, Blippy co-founder Philip Kaplan acknowledged after VentureBeat reported on the data leak.

The problem stemmed from an oversight during the company's beta test months ago when Blippy didn't initially realize that raw credit card data was viewable in the HTML source of its pages, Kaplan said in an interview with CNET. The data was removed, but for some reason it is still showing up in the Google cache, he said.

"Unfortunately, the incident was from early in our testing phase when we were just beginning to develop Blippy," he said. "We are working hard to bolster our security and make sure it's stronger, including getting third-party audits from security experts and other measures to make sure this doesn't happen again."

Asked if more than just four users could be affected, Kaplan said he didn't think so, but the company was investigating.

"We don't blame anybody except ourselves," he said. "That said, we were surprised to find that Google cached HTML data that was not visible on our site."

Blippy has talked with Google representatives who said the cache should be refreshed in the next couple of hours, he said. Blippy is also trying to contact the four users affected by the breach, he added.

"I know it's an exciting story and it certainly is a headache for people involved and is embarrassing for us, but it appears much worse than it is, we believe," Kaplan said.

More details are on the Blippy blog and on The New York Times, which had published a profile of Blippy on Thursday.

Google provided this statement when asked for comment: "Around 900am Pacific we learned that blippy.com had published credit card numbers on their website. As part of our usual crawling and indexing process, these numbers became discoverable in Google search snippets. Blippy contacted us and we took special measures to remove the numbers from search results. We fixed the problem by 11:20am Pacific and the numbers should no longer be discoverable in search."

Updated 12 p.m. PDT with Google comment, 11:25 a.m. PDT with comment from Blippy's Kaplan, and 10:50 a.m. PDT with Blippy comment to The New York Times.

Blippy lets people tell their friends about their purchases. Blippy.com