People who use Blippy want to share information with friends about their online purchases, but some users found that the site was sharing a lot more than their purchases with a lot more than just their friends.
Credit card numbers for four Blippy users were found in Google search on Friday, Blippy co-founder Philip Kaplan acknowledged after VentureBeat reported on the data leak.
The problem stemmed from an oversight during the company's beta test months ago when Blippy didn't initially realize that raw credit card data was viewable in the HTML source of its pages, Kaplan said in an interview with CNET. The data was removed, but for some reason it is still showing up in the Google cache, he said.
"Unfortunately, the incident was from early in our testing phase when we were just beginning to develop Blippy," he said. "We are working hard to bolster our security and make sure it's stronger, including getting third-party audits from security experts and other measures to make sure this doesn't happen again."
Asked if more than just four users could be affected, Kaplan said he didn't think so, but the company was investigating.
"We don't blame anybody except ourselves," he said. "That said, we were surprised to find that Google cached HTML data that was not visible on our site."
Blippy has talked with Google representatives who said the cache should be refreshed in the next couple of hours, he said. Blippy is also trying to contact the four users affected by the breach, he added.
"I know it's an exciting story and it certainly is a headache for people involved and is embarrassing for us, but it appears much worse than it is, we believe," Kaplan said.
Google provided this statement when asked for comment: "Around 900am Pacific we learned that blippy.com had published credit card numbers on their website. As part of our usual crawling and indexing process, these numbers became discoverable in Google search snippets. Blippy contacted us and we took special measures to remove the numbers from search results. We fixed the problem by 11:20am Pacific and the numbers should no longer be discoverable in search."
Updated 12 p.m. PDT with Google comment, 11:25 a.m. PDT with comment from Blippy's Kaplan, and 10:50 a.m. PDT with Blippy comment to The New York Times.